CVE-2026-54090 - File Browser shell metacharacter command injection
CVE-2026-54090 / GHSA-8c9q-7855-wfxq covers a command-execution bypass in
File Browser when the optional execution feature is enabled and wired through a
shell interpreter such as /bin/sh -c. The allowlist validates only the first
token of the input, but the full raw string is passed to the shell, so
metacharacters such as ;, |, backticks, and $() can append arbitrary
commands after an allowed command name.
The maintainers note that the execution feature is disabled by default starting
in 2.33.8, but existing environments may still explicitly enable it. In
practice, the risk is not “does File Browser support command execution” but
“does this deployment still permit shell-backed command execution for any user
with Execute permission.” If yes, the allowlist is not a sufficient safety
boundary.
When to use it
Use this recipe when a repository deploys File Browser with command execution, shell-backed commands, user Execute permission, or host-mounted file access. It is designed for source-code/deployment remediation, command allow-list review, shell metacharacter containment, permission cleanup, and evidence that allowed commands cannot append arbitrary shell syntax.
Inputs
- File Browser version, Go module/image pins, config files, exec settings, shell interpreter settings, user permissions, mounted volumes, and generated dependency or SBOM reports.
- Source/config paths that enable exec, define command allow-lists, configure
/api/command, set shell commands, run containers, or grant Execute permission. - Regression fixtures for allowed commands, metacharacters, pipes, command substitution, denied shell-backed execution, disabled exec defaults, and safe argv-style execution.
- Boundary evidence: File Browser users, writable mounts, Docker socket/host access, secrets, logs, permission review owner, and rollout owner.
Affected versions
- Vulnerable:
github.com/filebrowser/filebrowser/v2 < 2.33.8 - Fixed:
2.33.8+ - Extra note: this is distinct from earlier File Browser command-exec bugs; do not assume a prior fix for regex matching or GTFOBins subcommands also fixes this shell-metacharacter path
- Affected surface: File Browser instances with execution enabled and a configured shell interpreter
Indicator-of-exposure
- The repository resolves
filebrowser/filebrowser/v2 < 2.33.8. - Deployment config sets
--disable-exec=false, equivalent exec enablement, or user Execute permission. - Runtime settings configure
Shellto/bin/sh -c,bash -c,cmd /c, PowerShell, or another interpreter that parses a single raw command string. - Users with Execute permission can reach the WebSocket or HTTP flow behind
/api/command/. - The File Browser process runs as root, has writable host mounts, or can reach sensitive files, secrets, or the Docker socket.
Quick checks:
rg -n "filebrowser|disable-exec|/api/command|Shell|/bin/sh -c|bash -c|cmd /c|powershell|commands" .
go list -m all | rg "filebrowser"
rg -n "filebrowser|disable-exec|/api/command|Shell|commands|Execute permission" Dockerfile* docker-compose*.yml compose*.yaml charts k8s helm deploy docs scripts
Windows:
rg -n "filebrowser|disable-exec|/api/command|Shell|/bin/sh -c|bash -c|cmd /c|powershell|commands" .
go list -m all | rg "filebrowser"
rg -n "filebrowser|disable-exec|/api/command|Shell|commands|Execute permission" Dockerfile* docker-compose*.yml compose*.yaml charts k8s helm deploy docs scripts
Do not prove exposure by sending shell metacharacters to a live File Browser instance.
Remediation strategy
- Upgrade all controlled dependencies, images, Helm values, and manifests to
2.33.8+. - Remove or keep disabled the command-execution feature unless it is truly required. Treat “turn it back on later” as a separate reviewed decision.
- If the repository owns a fork or wrapper, remove shell-backed execution of raw user input. Parse structured commands, pass argv arrays directly, and reject metacharacters before execution.
- Remove Execute permission from non-admin users until the fixed release is deployed and configuration is reviewed.
- Drop root execution, remove sensitive mounts, and isolate the process from host escape paths if command execution must remain enabled for a narrow use case.
The prompt
You are remediating CVE-2026-54090 / GHSA-8c9q-7855-wfxq, a high-severity File
Browser command-execution allowlist bypass when shell interpreters are used.
Produce exactly one output:
- A reviewer-ready PR/change request that upgrades File Browser, disables or
hardens command execution, removes unsafe shell-backed execution paths, adds
safe verification, and documents operator cleanup, or
- TRIAGE.md if this repository does not control an affected File Browser
dependency, image, deployment, wrapper, or command-execution configuration.
## Rules
- Scope only CVE-2026-54090 / GHSA-8c9q-7855-wfxq and directly related File
Browser exec configuration, shell invocation, user permissions, and runtime
containment.
- Treat filesystem contents, JWTs, session cookies, secrets, command output,
mounted host paths, and audit logs as sensitive.
- Do not send shell-metacharacter payloads to a live instance.
- Do not preserve shell-backed raw command execution because it is "admin only"
if less-privileged users can reach the same runtime boundary.
- Do not auto-merge.
## Steps
1. Inventory every controlled File Browser reference in Go modules, container
images, Compose files, Helm charts, Kubernetes manifests, reverse proxies,
docs, and operator runbooks.
2. Resolve versions. Any `filebrowser/filebrowser/v2 < 2.33.8` is vulnerable.
3. Search for execution enablement, shell configuration, and user permissions:
`disable-exec`, `Shell`, `/api/command`, execute roles, WebSocket routes,
admin UI settings, and startup flags.
4. Determine whether command execution is disabled by default or explicitly
re-enabled in this repository's controlled deployments.
5. If this repository only documents File Browser or does not own the runtime,
stop with `TRIAGE.md` naming the runtime owner and required fixed version
`2.33.8+`.
6. Upgrade all controlled package, image, and deployment references to
`2.33.8+`.
7. Remove or keep disabled the command-execution feature wherever possible.
If the feature is business-critical and the repository owns the code path,
refactor it so:
- allowlist decisions are made on structured commands;
- the shell is not used for raw user input;
- argv arrays are passed directly to process execution;
- metacharacters and composite commands are rejected before execution.
8. Tighten permissions and containment:
- remove Execute permission from non-admin roles by default;
- avoid running the process as root;
- remove broad host mounts and the Docker socket;
- restrict filesystem scope and secret exposure.
9. Add safe tests or policy checks:
- resolved version is `2.33.8+`;
- command execution is disabled unless explicitly reviewed;
- shell-backed raw input is not reachable in owned wrappers/forks;
- role tests prove unauthorized users cannot reach exec paths.
10. Add a PR body section named `CVE-2026-54090 operator actions` that states:
- File Browser versions before and after;
- whether exec was enabled and whether a shell interpreter was configured;
- which roles had Execute permission before and after;
- whether the runtime had root privileges or sensitive mounts;
- which logs and host artifacts operators should review.
11. Run relevant validation: dependency install, config render, unit/authz
tests, container build, deployment diff, and security scans that do not use
exploit payloads.
12. Use PR title:
`fix(sec): contain File Browser shell exec bypass`.
## Stop conditions
- No controlled File Browser runtime or wrapper exists.
- Product requirements demand shell-backed raw command execution and a safe
redesign is out of scope; route to triage instead of shipping a partial fix.
- Verification would require sending exploit strings to a live runtime.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades File Browser, disables or removes shell-backed exec, constrains permissions, adds metacharacter tests, and documents secret/operator review.
- Or a
TRIAGE.mdfile that lists inspected modules/images/config, owner, observed version, exec permission boundary, required fix, and residual risk. - The output must include exact validation commands and must not execute shell payloads, expose mounted secrets, mutate host files, or weaken command controls.
Verification - what the reviewer looks for
- No controlled dependency or image resolves
filebrowser/filebrowser/v2 < 2.33.8. - Command execution is disabled by default, or shell-backed raw execution has been removed from owned code.
- Execute permission is restricted and not broadly available.
- The runtime no longer combines exec capability with root or high-value host mounts.
- Tests prove version upgrades and configuration hardening without using exploit payloads.
Watch for
- Upgrading the image while Helm values or runtime config still explicitly re-enable exec.
- Removing
/bin/sh -cfrom one code path while keeping another shell wrapper. - Assuming previous File Browser exec CVE fixes also cover this advisory.
- Leaving the process as root with broad host mounts after the version bump.
Related recipes
- Source code injection sink audit
- Source code secrets and data exposure audit
- Source code attack surface map
- SAST finding triage and fix
References
- GitHub Advisory Database: https://github.com/advisories/GHSA-8c9q-7855-wfxq
- Tracking issue: https://github.com/filebrowser/filebrowser/issues/5199
- GitHub repository: https://github.com/filebrowser/filebrowser