CVE-2026-50879: An issue in the uploadPostHandler component of Andrei Marcu linx-server v2
An issue in the uploadPostHandler component of Andrei Marcu linx-server v2.3.8 allows attackers to cause a Denial of Service (DoS) via a crafted POST request.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A denial-of-service vulnerability exists in the uploadPostHandler component of linx-server v2.3.8, a self-hosted file sharing server. The flaw is reachable over the network with no authentication required, meaning any internet-accessible instance is exposed without any login barrier. A successful attacker can crash or render the service unavailable by sending a crafted POST request. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-50879 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of publication using data ingested from upstream advisory feeds. Coverage extends to custom-built images that include linx-server v2.3.8, not just images pulled from public registries.
AvailableTriage is available with the CVSS v3.1 score of 7.5 (HIGH) applied automatically, and per-environment compliance policy weighting can escalate or suppress the alert based on each organization's configured thresholds. Findings are routed to the appropriate team inbox within each customer organization according to their defined policy.
AvailableNo fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainer ships a fix. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads automatically at that point.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable uploadPostHandler endpoint is exposed over the network, so an attacker must be able to send HTTP POST requests to the linx-server instance.
- AuthenticationNot required
No credentials or account are needed; the handler accepts unauthenticated POST requests from any caller.
- Victim interactionNot required
The attacker sends a crafted POST request directly and does not require any action from a legitimate user or administrator.
- Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed beyond network access.
Blast Radius
- Crashes or hangs the linx-server process, making file upload and retrieval unavailable for all users of the instance.
- Sustained requests can keep the service down indefinitely, preventing any legitimate use of the file sharing endpoint.
- Container restarts triggered by the crash may create load spikes or expose restart-loop behavior to monitoring and on-call teams.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix exists yet, HarborGuard continuously monitors the advisory on every ingest cycle and will automatically surface a patched-image rebuild opportunity the moment the maintainer publishes a fix version. In the interim, compensating controls are worth considering: network-policy rules that restrict POST access to the upload endpoint to trusted IP ranges, ingress-layer rate limiting to reduce the impact of a flood of crafted requests, and feature-flag or reverse-proxy gating that disables the upload handler if the feature is not actively needed. For customers with auto-remediation enabled, a rebuild and regression-test run will be triggered immediately upon upstream fix publication, with a PR opened against affected workloads.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H