CVE-2026-32759
Published: 20 March 2026
Summary
CVE-2026-32759 is a medium-severity Integer Overflow or Wraparound (CWE-190) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
File Browser versions on the 2.x branch prior to 2.33.8 contain an integer handling flaw in the TUS resumable upload handler at the /api/tus endpoint. The handler treats the Upload-Length header value as a signed 64-bit integer without enforcing a non-negative constraint, so an authenticated user can supply a negative length that immediately satisfies the completion condition on the first PATCH request. This causes the server to invoke any configured after_upload exec hooks against empty or partial files and to create inconsistent cache entries marking nonexistent uploads as complete. The enableExec flag, which is required for hook execution, amplifies the effect from cache corruption to potential command injection or workflow abuse such as S3 ingestion or database writes.
An authenticated attacker can repeatedly trigger the flaw with arbitrary filenames to force expensive hook processing for denial of service, to amplify command injection when malicious filenames reach exec hooks, or to poison downstream upload-driven pipelines. The vulnerability affects all deployments that expose the TUS endpoint, though successful exploitation still requires the instance administrator to have enabled the exec feature despite its documented risks.
The referenced GitHub security advisory and issue tracker indicate that version 2.33.8 disables the exec feature by default for both new and existing installations, thereby removing the pathway to remote command execution while leaving only the lower-severity cache inconsistency.
EPSS for this CVE rose from a low baseline of 0.0015 to a peak of 0.0101, indicating that exploitation interest increased after disclosure and that the issue merits renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13408
Vulnerability details
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed…
more
64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public-facing web application (T1190) via crafted PATCH request, facilitating Unix shell command execution through after_upload exec hooks (T1059.004) and application DoS via resource-intensive hooks (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of external inputs like the Upload-Length header to ensure non-negative values, preventing the upload completion bypass with negative integers.
Mandates identification, reporting, and correction of flaws such as the improper signed integer parsing in the TUS handler, enabling timely patching.
Enforces least functionality by prohibiting or restricting risky features like the TUS endpoint or exec hooks, mitigating exploitation even without a patch.