CVE-2026-32759 in filebrowser
Summary
by MITRE • 03/20/2026
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/25/2026
The vulnerability identified as CVE-2026-32759 affects File Browser versions 2.61.2 and below, specifically targeting the TUS resumable upload handler implementation. This flaw exists within the upload-length header parsing mechanism that processes signed 64-bit integers without proper validation for negative values. The technical implementation fails to validate that the Upload-Length header contains a non-negative integer value, creating a critical validation bypass opportunity for authenticated users. The vulnerability operates through the TUS protocol's resumable upload mechanism where the server maintains state information about ongoing uploads and determines completion based on the specified upload length. When a negative value is provided in the Upload-Length header, the server immediately considers the upload complete upon the first PATCH request, bypassing normal upload validation and processing logic.
The operational impact of this vulnerability extends beyond simple denial of service conditions to encompass more severe security implications including command injection amplification when combined with malicious filenames. The flaw allows attackers to repeatedly trigger configured exec hooks with arbitrary filenames and zero bytes written, creating a persistent attack vector that can overwhelm server resources through expensive processing hooks. The vulnerability specifically targets the /api/tus endpoint which serves as the primary interface for TUS uploads, making all deployments using this functionality susceptible to exploitation. When the enableExec flag is active, the impact escalates from simple cache inconsistency issues to full remote command execution capabilities, as the server executes hooks with empty or partial file data that can contain malicious payloads. This creates a significant risk for systems that rely on automated workflows triggered by file uploads, including those integrating with S3 ingestion pipelines or database insertion processes that depend on upload completion events.
The security implications of this vulnerability align with CWE-191, which addresses integer underflow conditions, and CWE-195, which covers signed to unsigned conversion errors. From an ATT&CK framework perspective, this vulnerability maps to T1059.007 for command and scripting interpreter execution and T1498 for network denial of service. The vulnerability enables attackers to create inconsistent cache entries where files are marked complete but contain no data, leading to cascading failures in upload-driven workflows. Even without exec hooks enabled, the negative Upload-Length values cause significant operational disruption by creating corrupted state information that affects system reliability and data integrity. The lack of available patches or mitigations at the time of publication leaves affected systems in a particularly vulnerable state, as administrators cannot implement immediate defensive measures. The vulnerability demonstrates a fundamental flaw in input validation and state management within the TUS implementation, highlighting the importance of proper integer validation and boundary checking in server-side file handling operations. Organizations using File Browser with TUS upload capabilities must urgently assess their deployment configurations and consider disabling the TUS endpoint until a proper patch is available, while also monitoring for potential exploitation attempts through anomalous upload patterns or unexpected hook executions.