CVE-2026-32759
Received Received - Intake
Signed Integer Overflow in File Browser TUS Upload Enables Remote Code Execution

Publication date: 2026-03-20

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. In versions 2.61.2 and below, the TUS resumable upload handler parses the Upload-Length header as a signed 64-bit integer without validating that the value is non-negative, allowing an authenticated user to supply a negative value that instantly satisfies the upload completion condition upon the first PATCH request. This causes the server to fire after_upload exec hooks with empty or partial files, enabling an attacker to repeatedly trigger any configured hook with arbitrary filenames and zero bytes written. The impact ranges from DoS through expensive processing hooks, to command injection amplification when combined with malicious filenames, to abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data. All deployments using the TUS upload endpoint (/api/tus) are affected, with the enableExec flag escalating the impact from cache inconsistency to remote command execution. At the time of publication, no patch or mitigation was available to address this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-20
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32759
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser to 2.61.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-32759 is a vulnerability in the File Browser application, specifically in its TUS resumable upload handler for versions 2.61.2 and below. The issue occurs because the Upload-Length header is parsed as a signed 64-bit integer without checking if the value is non-negative. An authenticated user can supply a negative Upload-Length value, which causes the server to mistakenly consider the upload complete immediately upon the first PATCH request.

This premature completion triggers configured after_upload execution hooks with empty or partial files. Attackers can repeatedly trigger these hooks with arbitrary filenames and zero bytes written, leading to various impacts depending on the system configuration.


How can this vulnerability impact me? :

The impacts of this vulnerability vary based on system configuration and usage of exec hooks. An authenticated user with upload permission can exploit this to:

  • Cause Denial of Service (DoS) by repeatedly triggering expensive processing hooks such as virus scanning or transcoding without uploading any data.
  • Amplify command injection attacks if exec hooks execute shell commands with attacker-controlled filenames.
  • Abuse upload-driven workflows like S3 ingestion, database inserts, or notifications by triggering them with empty or arbitrary files.
  • Even if exec hooks are disabled, the upload cache becomes inconsistent because files are marked complete with zero bytes, potentially causing downstream processes to receive incomplete or empty data.

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual or repeated PATCH requests to the TUS upload endpoint (/api/tus) with a negative Upload-Length header value, such as -1.

A proof of concept involves sending a POST request with Upload-Length set to -1 followed by a PATCH request with an empty body to trigger the after_upload hooks prematurely.

Example commands to test or detect the vulnerability include using curl to simulate the attack pattern:

  • POST a TUS upload with Upload-Length: -1
  • PATCH the upload with an empty body and Upload-Offset: 0

Server logs can be checked for repeated firing of after_upload hooks with zero-byte or partial files, which indicates exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

[{'type': 'paragraph', 'content': 'Since no patch is currently available for this vulnerability, immediate mitigation steps focus on configuration and operational controls.'}, {'type': 'list_item', 'content': 'Avoid enabling the exec hooks feature (enableExec flag) to prevent escalation from cache inconsistency to remote command execution.'}, {'type': 'list_item', 'content': "Monitor and restrict authenticated users' ability to upload files if possible, to reduce the risk of abuse."}, {'type': 'list_item', 'content': 'Review server logs for suspicious upload activity, especially PATCH requests with negative Upload-Length values.'}, {'type': 'list_item', 'content': 'Consider disabling or limiting workflows triggered by after_upload hooks that could be abused by this vulnerability.'}, {'type': 'paragraph', 'content': 'Users are advised to follow updates on the official GitHub issue tracker for a future patch or fix.'}] [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart