CVE-2026-32867 is an authorization bypass vulnerability identified in OPEXUS eComplaint software versions before 10.1.0.0. The flaw resides in the 'Portal/EEOC/DocumentUploadPub.aspx' component, which handles document uploads related to complaint cases. Due to insufficient authorization checks (CWE-639), an unauthenticated attacker can guess or obtain valid case numbers and upload arbitrary files to those cases. This unauthorized upload capability means attackers can inject unexpected files into the system, which users will see associated with legitimate cases. The vulnerability also aligns with CWE-425 (direct request) as the attacker manipulates user-controlled keys (case numbers) to bypass intended access controls. While confidentiality is not directly impacted, the integrity of case data is compromised by unauthorized file additions, and availability may be affected if attackers upload large volumes of files, exhausting storage resources. The CVSS 3.1 base score is 5.4 (medium), reflecting network attack vector, low attack complexity, no privileges required, but requiring user interaction. No patches or known exploits are currently available, indicating the vulnerability is newly disclosed. The vulnerability highlights the need for robust authorization checks on user-controlled parameters and secure file upload handling in web applications managing sensitive complaint data.

The primary impact of CVE-2026-32867 is on the integrity and availability of the OPEXUS eComplaint system. Unauthorized file uploads can lead to data pollution within complaint cases, potentially confusing case handlers or users relying on accurate documentation. If attackers upload malicious files, there is a risk of further exploitation depending on how these files are processed or accessed. Additionally, uploading large numbers of files can consume significant storage resources, potentially degrading system performance or causing denial of service due to storage exhaustion. Organizations relying on eComplaint for managing sensitive complaint data may face operational disruptions and increased administrative overhead to identify and remove unauthorized files. Although confidentiality is not directly compromised, the presence of unauthorized files could undermine trust in the system's data integrity. The lack of authentication requirement lowers the barrier for attackers, increasing the risk of widespread exploitation if the vulnerability is not remediated promptly.

To mitigate CVE-2026-32867, organizations should implement the following specific measures: 1) Immediately restrict access to the 'Portal/EEOC/DocumentUploadPub.aspx' endpoint by IP whitelisting or network segmentation to limit exposure to trusted users only. 2) Implement server-side validation to enforce strict authorization checks ensuring that file uploads are only accepted for cases associated with authenticated and authorized users. 3) Introduce rate limiting and upload quotas per case or user to prevent storage exhaustion from mass uploads. 4) Monitor logs for unusual upload activity, such as repeated attempts to upload files to multiple case numbers or large volumes of uploads from single IP addresses. 5) Employ file type and content validation to prevent malicious files from being uploaded. 6) Prepare to apply vendor patches promptly once released, and consider virtual patching via web application firewalls (WAFs) to block suspicious upload requests based on patterns like missing authentication tokens or anomalous case number formats. 7) Educate users and administrators to recognize and report unexpected files appearing in cases. These targeted actions go beyond generic advice by focusing on access control, monitoring, and proactive filtering specific to this vulnerability's exploitation vector.