CVE-2026-32867
Published: 19 March 2026
Summary
CVE-2026-32867 is a medium-severity Forced Browsing (CWE-425) vulnerability in Opexustech Ecase Ecomplaint. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access to the DocumentUploadPub.aspx endpoint, preventing unauthenticated attackers from guessing case numbers to upload arbitrary files into existing cases.
Provides protections for public-facing interfaces like Portal/EEOC/DocumentUploadPub.aspx to restrict unauthorized access and file uploads by unauthenticated remote attackers.
Mitigates the availability impact of storage exhaustion by implementing denial-of-service protections against mass arbitrary file uploads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing web app (DocumentUploadPub.aspx) allows unauthenticated remote file upload via IDOR/forced browsing (T1190); directly enables injection of arbitrary files into case storage, resulting in unauthorized stored data manipulation visible to users (T1565.001).
NVD Description
OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.
Deeper analysisAI
CVE-2026-32867 is a vulnerability in OPEXUS eComplaint versions prior to 10.1.0.0 that enables an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via the 'Portal/EEOC/DocumentUploadPub.aspx' endpoint. Affected users would then see these unexpected files within cases, and an attacker could upload a large number of files to consume storage resources. The issue is rated at a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) and is associated with CWE-425 (Direct Request ('Forced Browsing')) and CWE-639 (Authorization Bypass Through User-Controlled Key).
An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity, though it requires user interaction. Exploitation allows the attacker to inject arbitrary files into existing cases by guessing or obtaining case numbers, leading to limited integrity impacts as legitimate users encounter unauthorized content. Additionally, mass file uploads can cause limited availability impacts through storage exhaustion.
Advisories recommend upgrading to OPEXUS eComplaint version 10.1.0.0 or later to mitigate the vulnerability. Key references include the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2026-32867.
Details
- CWE(s)