CVE-2026-25728
TOCTOU Race Condition in ClipBucket Image Upload Enables RCE
Publication date: 2026-02-10
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oxygenz | clipbucket | From 5.3 (inc) to 5.5.3-40 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25728 is a critical Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability in ClipBucket v5 (versions prior to 5.5.3) affecting the avatar and background image upload functionality.
The vulnerability occurs because the application moves uploaded files to a web-accessible directory before validating them as legitimate images. This creates a time window where an attacker can upload a malicious PHP file and execute it remotely before the file is validated and deleted.
Specifically, the function `upload_user_file()` first moves the uploaded file to a web-accessible path using `move_uploaded_file()`. Then it validates the file with `ValidateImage()`. If validation fails, the file is deleted with `@unlink()`. However, between moving the file and deleting it, the malicious PHP file is accessible and executable via HTTP, allowing remote code execution.
An attacker with a low-privilege authenticated account can exploit this by uploading a PHP payload as an avatar or background image and concurrently sending HTTP requests to execute the payload during the race window.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated low-privilege user to execute arbitrary PHP code on the server with the web server's privileges."}, {'type': 'paragraph', 'content': 'Successful exploitation results in remote code execution (RCE), which can lead to full compromise of the server hosting the ClipBucket application.'}, {'type': 'paragraph', 'content': 'An attacker could use this to run malicious commands, access sensitive data, modify or delete files, install malware, or pivot to other parts of the network.'}, {'type': 'paragraph', 'content': 'Because the vulnerability arises from a race condition in file upload validation, it can be exploited repeatedly and reliably using concurrent requests.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for suspicious file uploads and concurrent HTTP requests targeting predictable PHP file paths in the ClipBucket avatar and background upload directories.'}, {'type': 'paragraph', 'content': 'Specifically, an attacker uploads a PHP payload to a path like /files/avatars/{userid}.php and concurrently sends HTTP requests to execute the PHP code during the race window before the file is deleted.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can:'}, {'type': 'list_item', 'content': 'Monitor web server access logs for repeated HTTP requests to paths matching /files/avatars/*.php or /files/backgrounds/*.php, especially if these requests return HTTP 200 responses with suspicious content.'}, {'type': 'list_item', 'content': 'Check for multiple concurrent POST requests to edit_account.php with the POST parameter update_avatar_bg set, indicating avatar or background image uploads.'}, {'type': 'list_item', 'content': 'Use network monitoring tools or intrusion detection systems to flag rapid, repeated uploads and fetches to these endpoints.'}, {'type': 'paragraph', 'content': 'Example commands to assist detection might include:'}, {'type': 'list_item', 'content': 'Using grep to find suspicious PHP file accesses in web logs: grep -E "/files/avatars/.*\\.php" /var/log/apache2/access.log'}, {'type': 'list_item', 'content': 'Using grep to find POST requests to edit_account.php with update_avatar_bg: grep "POST /edit_account.php" /var/log/apache2/access.log | grep "update_avatar_bg"'}, {'type': 'list_item', 'content': 'Using tools like curl or custom scripts to test if the uploaded PHP file executes during the race window (requires authenticated access and careful timing).'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade ClipBucket to version 5.5.3 or later, where the vulnerability is fixed by validating uploaded files before moving them to web-accessible locations.
- If upgrading is not immediately possible, restrict access to the upload directories (e.g., /files/avatars/ and /files/backgrounds/) via web server configuration to prevent execution of PHP files.
- Implement strict file validation on the server side to ensure only legitimate image files are accepted before moving them to public directories.
- Monitor and limit concurrent upload and fetch requests to reduce the race condition window.
- Review and apply the patch that changes the order of operations in the upload_user_file() function to validate files before moving them, as described in the official fix.