CVE-2026-54092 in File Browser
Summary
by MITRE • 06/25/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. Prior to 2.63.6, unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the container was destroyed. This vulnerability is fixed in 2.63.6.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 06/26/2026
The File Browser application presents a critical security vulnerability that stems from inadequate input validation within its authentication mechanism. This flaw manifests as an unchecked maximum password length parameter that permits arbitrarily large password strings to be submitted through the login API endpoint. The vulnerability exists prior to version 2.63.6 and represents a significant weakness in the application's defensive architecture.
The technical implementation of this vulnerability exploits the absence of proper boundary checking for password input fields within the authentication process. When an excessively long password is processed, the system fails to enforce reasonable length constraints that would normally prevent such inputs from being handled. This design oversight creates a resource exhaustion scenario where the application attempts to process and validate password strings of arbitrary length, leading to severe performance degradation.
The operational impact of this vulnerability extends far beyond simple authentication failures. The unchecked password processing causes substantial CPU and memory consumption spikes that can overwhelm system resources. In practical testing scenarios, this has resulted in complete system crashes, severe lag conditions, and even affected underlying containerization infrastructure including Docker daemon instability with 500 status errors. The resource exhaustion affects not only the targeted application but can cascade into broader system performance issues.
This vulnerability aligns with CWE-770, which describes allocation of resources without limits or appropriate bounds, and demonstrates characteristics consistent with resource exhaustion attacks that fall under ATT&CK technique T1496. The attack vector specifically targets the authentication service through input manipulation, creating a denial-of-service condition that impacts availability. The vulnerability represents a classic example of how seemingly minor input validation gaps can result in catastrophic system-wide consequences.
Mitigation strategies should focus on implementing strict password length validation with reasonable upper bounds, typically not exceeding 128 characters for security and performance reasons. System administrators should immediately upgrade to version 2.63.6 or later where this vulnerability has been addressed. Additionally, implementing rate limiting and resource monitoring can help detect and prevent exploitation attempts while maintaining system stability during normal operations.