CVE-2026-32759
Modified Modified - Updated After Analysis
Signed Integer Overflow in File Browser TUS Upload Enables Remote Code Execution

Publication date: 2026-03-20

Last updated on: 2026-06-09

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions on the 2.x branch prior to 2.33.8, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-06-09
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32759
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser to 2.61.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32759 is a vulnerability in the File Browser application, specifically in its TUS resumable upload handler for versions 2.61.2 and below. The issue occurs because the Upload-Length header is parsed as a signed 64-bit integer without checking if the value is non-negative. An authenticated user can supply a negative Upload-Length value, which causes the server to mistakenly consider the upload complete immediately upon the first PATCH request.

This premature completion triggers configured after_upload execution hooks with empty or partial files. Attackers can repeatedly trigger these hooks with arbitrary filenames and zero bytes written, leading to various impacts depending on the system configuration.

Impact Analysis

The impacts of this vulnerability vary based on system configuration and usage of exec hooks. An authenticated user with upload permission can exploit this to:

  • Cause Denial of Service (DoS) by repeatedly triggering expensive processing hooks such as virus scanning or transcoding without uploading any data.
  • Amplify command injection attacks if exec hooks execute shell commands with attacker-controlled filenames.
  • Abuse upload-driven workflows like S3 ingestion, database inserts, or notifications by triggering them with empty or arbitrary files.
  • Even if exec hooks are disabled, the upload cache becomes inconsistent because files are marked complete with zero bytes, potentially causing downstream processes to receive incomplete or empty data.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for unusual or repeated PATCH requests to the TUS upload endpoint (/api/tus) with a negative Upload-Length header value, such as -1.

A proof of concept involves sending a POST request with Upload-Length set to -1 followed by a PATCH request with an empty body to trigger the after_upload hooks prematurely.

Example commands to test or detect the vulnerability include using curl to simulate the attack pattern:

  • POST a TUS upload with Upload-Length: -1
  • PATCH the upload with an empty body and Upload-Offset: 0

Server logs can be checked for repeated firing of after_upload hooks with zero-byte or partial files, which indicates exploitation attempts.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Since no patch is currently available for this vulnerability, immediate mitigation steps focus on configuration and operational controls.'}, {'type': 'list_item', 'content': 'Avoid enabling the exec hooks feature (enableExec flag) to prevent escalation from cache inconsistency to remote command execution.'}, {'type': 'list_item', 'content': "Monitor and restrict authenticated users' ability to upload files if possible, to reduce the risk of abuse."}, {'type': 'list_item', 'content': 'Review server logs for suspicious upload activity, especially PATCH requests with negative Upload-Length values.'}, {'type': 'list_item', 'content': 'Consider disabling or limiting workflows triggered by after_upload hooks that could be abused by this vulnerability.'}, {'type': 'paragraph', 'content': 'Users are advised to follow updates on the official GitHub issue tracker for a future patch or fix.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32759. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart