Platform
go
Component
github.com/filebrowser/filebrowser/v2
Fixed in
2.61.3
2.61.2
CVE-2026-32759 describes a Remote Code Execution (RCE) vulnerability discovered in filebrowser/filebrowser/v2, a self-hosted file manager. This flaw allows an authenticated user with upload permissions to trigger arbitrary after_upload hooks, potentially leading to code execution. The vulnerability affects versions of filebrowser/filebrowser/v2 up to and including 2.61.1. A patch is expected to be released by the maintainers.
The vulnerability stems from insufficient validation of the Upload-Length header within the TUS resumable upload handler. An attacker can craft a malicious PATCH request with a negative Upload-Length value. This bypasses the intended logic, causing the server to prematurely consider the upload complete. Consequently, the configured after_upload hook is executed, regardless of whether a complete or valid file was actually uploaded. This allows an attacker to trigger arbitrary code execution on the server, potentially leading to complete system compromise. The impact is particularly severe as it requires only authentication and upload permissions, making it accessible to a wider range of users within the filebrowser environment.
This vulnerability was publicly disclosed on 2026-03-16. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's ease of exploitation and potential impact warrant close monitoring.
Exploit Status
EPSS
0.18% (40% percentile)
CISA SSVC
The primary mitigation is to upgrade to a patched version of filebrowser/filebrowser/v2 as soon as it becomes available. Until a patch is released, consider disabling the afterupload hook functionality entirely within the filebrowser configuration. If disabling the hook is not feasible, restrict access to the upload functionality to trusted users only. Implement a Web Application Firewall (WAF) rule to filter out PATCH requests with negative Upload-Length headers. Monitor filebrowser logs for unusual activity, specifically looking for repeated afterupload hook executions with small or zero-byte files.
No fixed version is available at the time of analysis. It is recommended to disable the TUS endpoint (/api/tus) or disable exec hooks (enableExec=false) until an update is released. Monitor security updates in the File Browser repository.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32759 is a Remote Code Execution vulnerability in filebrowser/filebrowser/v2 versions up to 2.61.1. A negative Upload-Length header triggers arbitrary hook execution, potentially allowing attackers to run code on the server.
You are affected if you are running filebrowser/filebrowser/v2 version 2.61.1 or earlier. Check your version and upgrade as soon as a patch is available.
Upgrade to a patched version of filebrowser/filebrowser/v2 as soon as it is released. As a temporary workaround, disable the after_upload hook or restrict upload access.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants close monitoring.
Refer to the official filebrowser project's GitHub repository and website for updates and security advisories related to CVE-2026-32759.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.