CVE-2026-32759
Published: 20 March 2026
Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating…
more
that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of external inputs like the Upload-Length header to ensure non-negative values, preventing the upload completion bypass with negative integers.
Mandates identification, reporting, and correction of flaws such as the improper signed integer parsing in the TUS handler, enabling timely patching.
Enforces least functionality by prohibiting or restricting risky features like the TUS endpoint or exec hooks, mitigating exploitation even without a patch.
Security SummaryAI
CVE-2026-32759 is a vulnerability in File Browser, an open-source file managing interface, affecting versions 2.61.2 and prior. The issue resides in the TUS resumable upload handler, which parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative. This flaw impacts all deployments using the TUS upload endpoint (/api/tus), leading to improper handling of upload completion conditions and potential execution of after_upload hooks with incomplete or empty files.
An authenticated user with low privileges can exploit this vulnerability remotely over the network with low complexity by sending a PATCH request with a negative Upload-Length value. This instantly satisfies the server's upload completion check on the first request, despite zero bytes being written, allowing the attacker to repeatedly trigger configured after_upload exec hooks using arbitrary filenames. Potential impacts include denial of service through resource-intensive hooks, amplification of command injection via malicious filenames, abuse of upload-driven workflows such as S3 ingestion or database inserts, and inconsistent cache entries marking empty files as complete. When the enableExec flag is active, exploitation escalates to remote command execution. The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and is associated with CWE-190 (Integer Overflow or Wraparound).
The GitHub security advisory (GHSA-ffx7-75gc-jg7c) and related issue tracker (#5199) detail the flaw, but at the time of publication on 2026-03-20, no patch or mitigation was available. Security practitioners should monitor these repositories for updates and consider disabling the TUS endpoint or exec hooks where feasible until a fix is released.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of public-facing web application (T1190) via crafted PATCH request, facilitating Unix shell command execution through after_upload exec hooks (T1059.004) and application DoS via resource-intensive hooks (T1499.004).