Platform
go
Component
github.com/filebrowser/filebrowser/v2
Opgelost in
2.61.3
2.61.2
CVE-2026-32759 describes a Remote Code Execution (RCE) vulnerability discovered in filebrowser/filebrowser/v2, a self-hosted file manager. This flaw allows an authenticated user with upload permissions to trigger arbitrary after_upload hooks, potentially leading to code execution. The vulnerability affects versions of filebrowser/filebrowser/v2 up to and including 2.61.1. A patch is expected to be released by the maintainers.
The vulnerability stems from insufficient validation of the Upload-Length header within the TUS resumable upload handler. An attacker can craft a malicious PATCH request with a negative Upload-Length value. This bypasses the intended logic, causing the server to prematurely consider the upload complete. Consequently, the configured after_upload hook is executed, regardless of whether a complete or valid file was actually uploaded. This allows an attacker to trigger arbitrary code execution on the server, potentially leading to complete system compromise. The impact is particularly severe as it requires only authentication and upload permissions, making it accessible to a wider range of users within the filebrowser environment.
This vulnerability was publicly disclosed on 2026-03-16. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's ease of exploitation and potential impact warrant close monitoring.
Organizations using filebrowser/filebrowser/v2 for file management, particularly those with publicly accessible upload endpoints or those who have configured custom after_upload hooks. Shared hosting environments where multiple users share the same filebrowser instance are also at increased risk.
• linux / server:
journalctl -u filebrowser -g 'after_upload' | grep -i 'error' • generic web:
curl -I 'http://your-filebrowser-url/upload' -H 'Upload-Length: -1' | grep '200 OK'disclosure
Exploit Status
EPSS
0.18% (40% percentiel)
CISA SSVC
The primary mitigation is to upgrade to a patched version of filebrowser/filebrowser/v2 as soon as it becomes available. Until a patch is released, consider disabling the afterupload hook functionality entirely within the filebrowser configuration. If disabling the hook is not feasible, restrict access to the upload functionality to trusted users only. Implement a Web Application Firewall (WAF) rule to filter out PATCH requests with negative Upload-Length headers. Monitor filebrowser logs for unusual activity, specifically looking for repeated afterupload hook executions with small or zero-byte files.
No hay una versión corregida disponible al momento del análisis. Se recomienda deshabilitar el endpoint TUS (/api/tus) o deshabilitar los hooks exec (enableExec=false) hasta que se publique una actualización. Monitorear las actualizaciones de seguridad en el repositorio de File Browser.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-32759 is a Remote Code Execution vulnerability in filebrowser/filebrowser/v2 versions up to 2.61.1. A negative Upload-Length header triggers arbitrary hook execution, potentially allowing attackers to run code on the server.
You are affected if you are running filebrowser/filebrowser/v2 version 2.61.1 or earlier. Check your version and upgrade as soon as a patch is available.
Upgrade to a patched version of filebrowser/filebrowser/v2 as soon as it is released. As a temporary workaround, disable the after_upload hook or restrict upload access.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's potential impact warrants close monitoring.
Refer to the official filebrowser project's GitHub repository and website for updates and security advisories related to CVE-2026-32759.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je go.mod-bestand en we vertellen je direct of je getroffen bent.