Skip to main content

Suse EUVDEUVD-2026-12080

| CVE-2026-30961 MEDIUM
Improper Input Validation (CWE-20)
2026-03-13 https://github.com/Forceu/Gokapi GHSA-45vh-rpc8-hxpp
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2026-12080
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:56 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Summary

The chunked upload completion path for file requests does not validate the total file size against the per-request MaxSize limit. An attacker with a public file request link can split an oversized file into chunks each under MaxSize and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global MaxFileSizeMB are accepted regardless of the file request's configured limit.

Impact

Any guest with access to a shared file request link can upload files far larger than the administrator-configured size limit, up to the server's global MaxFileSizeMB. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion. No data exposure or privilege escalation occurs.

AnalysisAI

A validation bypass in the chunked file upload completion logic for file requests allows attackers to circumvent per-request file size limits by splitting oversized files into smaller chunks that individually pass validation. Attackers with access to a public file request link can sequentially upload chunks to exceed the administrator-configured MaxSize limit, uploading files up to the server's global MaxFileSizeMB threshold. This enables unauthorized storage consumption and potential service disruption through storage exhaustion, though no data exposure or privilege escalation occurs; the vulnerability carries a CVSS score of 4.3 with EPSS and KEV status not currently indicated as critical, suggesting limited real-world exploitation pressure despite straightforward attack mechanics.

Technical ContextAI

The vulnerability exists in the file request upload completion endpoint, which implements chunked transfer encoding to support large file uploads. The root cause is classified under CWE-20 (Improper Input Validation), specifically the failure to validate the aggregate file size against the per-request MaxSize parameter during chunk reassembly. The upload service validates individual chunks against MaxSize but does not perform cumulative validation when combining chunks into the final file during the completion phase. This is a classic input validation flaw where boundary checks are performed at an intermediate step but bypassed at the final assembly stage. The affected technology involves HTTP chunked transfer encoding combined with a multi-stage upload workflow that separates chunk acceptance from final size validation.

RemediationAI

Implement cumulative file size validation in the chunked upload completion handler to verify that the total reassembled file size does not exceed the per-request MaxSize limit, in addition to existing per-chunk validation. Apply the vendor patch or upgrade to the patched version once available from your vendor's security advisory. As an interim mitigation, reduce the global MaxFileSizeMB configuration to match or be slightly above the largest permissible per-request MaxSize to limit the damage radius, implement server-side monitoring and alerting for unusual upload patterns or rapid sequential chunk uploads, and consider restricting file request links to authenticated users only or enabling rate limiting on chunk upload endpoints. Additionally, enforce storage quota enforcement at the filesystem or container level to prevent storage exhaustion from causing complete service denial.

Vendor StatusVendor

SUSE

Severity: Medium

Share

EUVD-2026-12080 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy