CVE-2026-38361
Modified Modified - Updated After Analysis
Remote Code Execution in Fohrloop Dash-Uploader

Publication date: 2026-05-08

Last updated on: 2026-06-10

Assigner: MITRE

Description
Multiple unauthenticated denial-of-service (DoS) issues in fohrloop dash-uploader v0.1.0 through v0.7.0a2. The chunked-upload handler (dash_uploader/httprequesthandler.py, dash_uploader/upload.py) trusts unsanitized, attacker-controlled upload parameters (e.g. flowTotalChunks) and does not enforce the documented max_file_size limit, allowing a remote, unauthenticated attacker to cause an out-of-memory (OOM) process crash (unbounded range(1, flowTotalChunks + 1) allocation), truncation of the target file to zero bytes (flowTotalChunks=0, where the all([]) == True quirk runs the file-assembly branch on zero chunks), permanent disk exhaustion (never-cleaned-up temporary directories per flowIdentifier), and a complete bypass of the documented max_file_size limit.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-06-10
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-38361
EUVD
EUVD-2026-28645
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fohrloop dash-uploader From 0.1.0 (inc) to 0.7.0a2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-670 The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-38361 is a vulnerability in the Python package dash-uploader versions 0.1.0 through 0.7.0a2 that allows a remote attacker to execute arbitrary code. This occurs via components in dash_uploader such as httprequesthandler.py, upload.py (specifically the Upload function), and configure_upload.py, where unsanitized parameters and lack of proper checks enable exploitation.

The vulnerability includes multiple unauthenticated Denial of Service (DoS) issues such as Out-of-Memory crashes, file truncation to zero bytes, permanent disk exhaustion, and bypass of the max_file_size limit. The max_file_size parameter is only enforced on the client side, allowing attackers to upload files larger than intended.

These issues stem from unbounded memory allocation, file operations without proper validation, and directory creation without cleanup, which can be manipulated by attackers to cause server crashes, data destruction, and resource exhaustion.

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the server running dash-uploader, leading to full compromise of the system.

Additionally, attackers can cause Denial of Service conditions by exhausting server memory and disk space, truncating files to zero bytes, and bypassing file size restrictions, which can disrupt service availability and lead to data loss.

Because the max_file_size parameter is only enforced client-side, attackers can upload arbitrarily large files, potentially filling up disk space and causing permanent disk exhaustion or inode exhaustion.

Detection Guidance

This vulnerability involves unauthenticated Denial of Service (DoS) attacks exploiting the dash-uploader package by sending specially crafted HTTP requests that bypass the max_file_size limit and cause resource exhaustion or file truncation.

To detect exploitation attempts on your network or system, you can monitor HTTP requests targeting the dash_uploader endpoints, especially those involving the Upload function and the max_file_size parameter.

Suggested commands include using network monitoring tools or web server logs to identify unusual POST requests to dash_uploader upload endpoints, for example:

  • Using grep on web server logs to find suspicious upload requests: grep -i 'dash_uploader' /var/log/nginx/access.log | grep POST
  • Using tcpdump or Wireshark to capture HTTP traffic and filter for requests containing 'max_file_size' parameter.
  • Checking for unusually large or malformed upload requests that could indicate attempts to bypass size limits or cause resource exhaustion.

Since the vulnerability exploits unsanitized HTTP parameters, monitoring for repeated or abnormal POST requests to the dash_uploader upload endpoints is key.

Mitigation Strategies

Immediate mitigation steps for this vulnerability include:

  • Migrate away from dash-uploader to a safer alternative such as Plotly Dash's built-in dcc.Upload component, which does not have this vulnerability.
  • Implement a custom Flask upload handler that enforces server-side file size limits and sanitizes all input parameters to prevent arbitrary code execution and resource exhaustion.
  • Apply reverse-proxy or Web Application Firewall (WAF) rules to rate-limit or block suspicious upload requests targeting dash_uploader endpoints.
  • Regularly clean up temporary upload files and monitor disk usage to prevent permanent disk exhaustion caused by orphaned temporary files.

Note that no patch is available because the project was archived and has no active maintainer, so these mitigation steps are critical to reduce risk.

Compliance Impact

The vulnerability in dash-uploader allows remote attackers to execute arbitrary code and causes issues such as unbounded memory allocation, disk exhaustion, and file truncation. These issues can lead to denial of service and potential data destruction.

Because the vulnerability enables arbitrary file uploads without proper server-side validation and bypasses client-side file size limits, it poses significant risks to data integrity and availability.

Such risks can impact compliance with standards like GDPR and HIPAA, which require protection of personal data, ensuring data integrity, availability, and preventing unauthorized access or data loss.

The lack of active maintenance and no available patch further complicate compliance efforts, as organizations using this package may struggle to meet regulatory requirements for secure data handling and incident response.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38361. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart