PatchSiren cyber security CVE debrief
CVE-2026-32759 filebrowser CVE debrief
CVE-2026-32759 is a vulnerability in the File Browser TUS resumable upload handler. In versions on the 2.x branch prior to 2.33.8, an authenticated user can supply a negative Upload-Length value, which is parsed as a signed 64-bit integer without validation. This allows the user to instantly satisfy the upload completion condition upon the first PATCH request, causing the server to fire after_upload exec hooks with empty or partial files. The impact of this vulnerability ranges from Denial of Service (DoS) through expensive processing hooks to command injection amplification when combined with malicious filenames, and abuse of upload-driven workflows like S3 ingestion or database inserts. Even without exec hooks enabled, the negative Upload-Length creates inconsistent cache entries where files are marked complete but contain no data.
- Vendor
- filebrowser
- Product
- Unknown
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-20
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-03-20
- Advisory updated
- 2026-06-09
Who should care
Administrators and users of File Browser instances using the TUS upload endpoint (/api/tus) are affected by this vulnerability. Specifically, deployments with the enableExec flag turned on are at risk of remote command execution.
Technical summary
The vulnerability exists in the TUS resumable upload handler of File Browser versions on the 2.x branch prior to 2.33.8. An authenticated user can exploit this by supplying a negative value for the Upload-Length header, which is not validated for non-negativity. This causes the server to prematurely mark uploads as complete, leading to potential security issues including DoS, code execution, and data inconsistency.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 2.33.8 or later to patch the vulnerability.
- Disable the enableExec flag if not required.
- Monitor for suspicious upload activity and configure upload-driven workflows securely.
Evidence notes
CVE-2026-32759 has a CVSS score of 5.3 and is classified as MEDIUM severity. The vulnerability was published on March 20, 2026, and modified on June 9, 2026.
Official resources
-
CVE-2026-32759 CVE record
CVE.org
-
CVE-2026-32759 NVD detail
NVD
-
Source item URL
nvd_modified
-
Source reference
[email protected] - Issue Tracking
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE-2026-32759 was published on 2026-03-20T00:16:17.270Z and modified on 2026-06-09T13:16:35.833Z.