Cyber Resilience

CVE-2026-32867

Medium

Published: 19 March 2026

Published
19 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 9.1th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-32867 is a medium-severity Forced Browsing (CWE-425) vulnerability in Opexustech Ecase Ecomplaint. Its CVSS base score is 5.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-32867 is a vulnerability in OPEXUS eComplaint versions prior to 10.1.0.0 that enables an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via the 'Portal/EEOC/DocumentUploadPub.aspx' endpoint. Affected users would then see these unexpected files within cases, and an attacker could upload a large number of files to consume storage resources. The issue is rated at a CVSS v3.1 base score of 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) and is associated with CWE-425 (Direct Request ('Forced Browsing')) and CWE-639 (Authorization Bypass Through User-Controlled Key).

An unauthenticated remote attacker can exploit this vulnerability over the network with low attack complexity, though it requires user interaction. Exploitation allows the attacker to inject arbitrary files into existing cases by guessing or obtaining case numbers, leading to limited integrity impacts as legitimate users encounter unauthorized content. Additionally, mass file uploads can cause limited availability impacts through storage exhaustion.

Advisories recommend upgrading to OPEXUS eComplaint version 10.1.0.0 or later to mitigate the vulnerability. Key references include the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2026-32867.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OPEXUS eComplaint before version 10.1.0.0 allows an unauthenticated attacker to obtain or guess an existing case number and upload arbitrary files via 'Portal/EEOC/DocumentUploadPub.aspx'. Users would see these unexpected files in cases. Uploading a large number of files could consume storage.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Vulnerability in public-facing web app (DocumentUploadPub.aspx) allows unauthenticated remote file upload via IDOR/forced browsing (T1190); directly enables injection of arbitrary files into case storage, resulting in unauthorized stored data manipulation visible to users (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22235Same product: Opexustech Ecase Ecomplaint
CVE-2026-32865Same product: Opexustech Ecase Ecomplaint
CVE-2026-22234Same vendor: Opexustech
CVE-2024-53553Same vendor: Opexustech
CVE-2026-22230Same vendor: Opexustech
CVE-2025-62586Same vendor: Opexustech
CVE-2026-33702Shared CWE-639
CVE-2026-25564Shared CWE-639
CVE-2026-26078Shared CWE-639
CVE-2024-50689Shared CWE-639

Affected Assets

opexustech
ecase ecomplaint
≤ 10.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for logical access to the DocumentUploadPub.aspx endpoint, preventing unauthenticated attackers from guessing case numbers to upload arbitrary files into existing cases.

prevent

Provides protections for public-facing interfaces like Portal/EEOC/DocumentUploadPub.aspx to restrict unauthorized access and file uploads by unauthenticated remote attackers.

prevent

Mitigates the availability impact of storage exhaustion by implementing denial-of-service protections against mass arbitrary file uploads.

References