CVE-2026-48500: filament unauth file upload drains

CISO Take

Filament, a widely-used Laravel admin UI framework commonly deployed in AI/ML application control panels, exposes an unauthenticated temporary file upload endpoint on all Livewire components—including forms never intended to accept uploads, such as the public login page. Because no authentication is required and the attack requires zero specialized knowledge, any external attacker can flood the application's temporary storage using a simple script. While uploaded files are not directly executed, this enables cost-harvesting attacks that exhaust cloud storage quotas or inflate object storage bills, and can cause denial of service on the admin interface managing AI pipelines if disk is shared with model artifacts or database writes. Patch immediately to Filament 3.3.52 (v3), 4.11.5 (v4), or 5.6.5 (v5); as an interim workaround, block multipart/form-data POSTs to unauthenticated Filament routes via WAF or restrict admin panel access to known IP ranges.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

MEDIUM risk. The vulnerability is trivially exploitable—zero authentication, no special tooling or AI/ML knowledge required, accessible from any network over HTTP. Impact is bounded: files land only in temporary storage and are not directly executed, so immediate code execution or data exfiltration are not primary outcomes. Primary risks are availability degradation through disk exhaustion and financial impact via runaway cloud storage costs, both of which are serious for production AI/ML deployments but not catastrophic in isolation. Exploitability is high; no public exploits or KEV listing at time of analysis. If the Laravel application's temp storage partition is shared with model checkpoints, training data, or PostgreSQL data directories, blast radius increases significantly.

How does the attack unfold?

Target Discovery

Attacker identifies a Filament-based Laravel admin panel via Livewire JavaScript asset fingerprinting or distinctive route patterns such as /admin/login.

AML.T0006

Unauthenticated Upload

Attacker POSTs multipart file data to the public login endpoint, triggering the inadvertently exposed WithFileUploads Livewire trait without any authentication.

AML.T0049

Storage Flooding

Automated upload loop writes large files to the application's temporary storage partition, either exhausting local disk or inflating cloud storage object counts and costs.

AML.T0034

Availability Impact

AI pipeline management dashboards, model version control interfaces, and operational admin tools become unavailable as disk writes fail or cloud storage budget alerts trigger throttling.

AML.T0029

Target Discovery

Attacker identifies a Filament-based Laravel admin panel via Livewire JavaScript asset fingerprinting or distinctive route patterns such as /admin/login.

AML.T0006

Unauthenticated Upload

Attacker POSTs multipart file data to the public login endpoint, triggering the inadvertently exposed WithFileUploads Livewire trait without any authentication.

AML.T0049

Storage Flooding

Automated upload loop writes large files to the application's temporary storage partition, either exhausting local disk or inflating cloud storage object counts and costs.

AML.T0034

Availability Impact

AI pipeline management dashboards, model version control interfaces, and operational admin tools become unavailable as disk writes fail or cloud storage budget alerts trigger throttling.

AML.T0029

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
filament	—	—	No patch

Do you use filament? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I Low

A Low

What should I do?

5 steps

Patch: Upgrade Filament to 3.3.52 (v3 branch), 4.11.5 (v4 branch), or 5.6.5 (v5 branch) — the fix removes the WithFileUploads trait from components that do not require it.
Immediate workaround: place Filament admin routes behind network-level IP allowlisting or add WAF rules to block multipart/form-data POST requests to unauthenticated Filament endpoints (e.g., /admin/login, /admin).
Configure aggressive Livewire temp file cleanup — run the built-in php artisan livewire:clean scheduler at least every 30 minutes.
Monitor disk usage and cloud storage PUT request rates — anomalous spikes from unauthenticated source IPs are a reliable indicator of exploitation.
Apply bucket-level quotas and cost anomaly alerts on the cloud storage bucket receiving Livewire temp uploads.

How is it classified?

DoS Auth Bypass Framework AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0048.000 - Financial Harm AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.1 - Operational planning and control

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain AI system performance

OWASP LLM Top 10

LLM04 - Model Denial of Service

Frequently Asked Questions

What is CVE-2026-48500?

Filament, a widely-used Laravel admin UI framework commonly deployed in AI/ML application control panels, exposes an unauthenticated temporary file upload endpoint on all Livewire components—including forms never intended to accept uploads, such as the public login page. Because no authentication is required and the attack requires zero specialized knowledge, any external attacker can flood the application's temporary storage using a simple script. While uploaded files are not directly executed, this enables cost-harvesting attacks that exhaust cloud storage quotas or inflate object storage bills, and can cause denial of service on the admin interface managing AI pipelines if disk is shared with model artifacts or database writes. Patch immediately to Filament 3.3.52 (v3), 4.11.5 (v4), or 5.6.5 (v5); as an interim workaround, block multipart/form-data POSTs to unauthenticated Filament routes via WAF or restrict admin panel access to known IP ranges.

Is CVE-2026-48500 actively exploited?

No confirmed active exploitation of CVE-2026-48500 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-48500?

1. Patch: Upgrade Filament to 3.3.52 (v3 branch), 4.11.5 (v4 branch), or 5.6.5 (v5 branch) — the fix removes the WithFileUploads trait from components that do not require it. 2. Immediate workaround: place Filament admin routes behind network-level IP allowlisting or add WAF rules to block multipart/form-data POST requests to unauthenticated Filament endpoints (e.g., /admin/login, /admin). 3. Configure aggressive Livewire temp file cleanup — run the built-in `php artisan livewire:clean` scheduler at least every 30 minutes. 4. Monitor disk usage and cloud storage PUT request rates — anomalous spikes from unauthenticated source IPs are a reliable indicator of exploitation. 5. Apply bucket-level quotas and cost anomaly alerts on the cloud storage bucket receiving Livewire temp uploads.

What systems are affected by CVE-2026-48500?

This vulnerability affects the following AI/ML architecture patterns: ML admin dashboards and control planes, AI pipeline orchestration dashboards, Model version management UIs, Data labeling and annotation platforms.

What is the CVSS score for CVE-2026-48500?

CVE-2026-48500 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

ML admin dashboards and control planesAI pipeline orchestration dashboardsModel version management UIsData labeling and annotation platforms

MITRE ATLAS Techniques

AML.T0029 Denial of AI Service

AML.T0034 Cost Harvesting

AML.T0048.000 Financial Harm

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM04

What are the technical details?

Original Advisory

Filament is a collection of full-stack components for accelerated Laravel development. From 3.0.0 until 3.3.52, 4.11.5, and 5.6.5, any schema can contain a file upload form field, so Filament applies Livewire's WithFileUploads trait to the Livewire component the schema is embedded in. However, some schemas, such as the panel login form, do not require file uploads, and exposing unauthenticated temporary file uploads on these components is not an acceptable risk. On these components, an unauthenticated attacker could upload arbitrary files to the application's temporary storage, which could be abused to exhaust disk space or inflate storage costs. This vulnerability is fixed in 3.3.52, 4.11.5, and 5.6.5.

Exploitation Scenario

An attacker fingerprints an AI platform's admin portal as Filament-based via Livewire JavaScript asset paths and distinctive route patterns. Without obtaining any credentials, they POST multipart file data to the public login endpoint, exploiting the inadvertently exposed WithFileUploads trait. Using a trivial bash script or Burp Repeater macro, they upload hundreds of large files per minute. Within minutes, the underlying disk partition — shared with the PostgreSQL data directory and model checkpoint storage — fills to capacity. The web server begins rejecting all write operations: inference logs stop, model autosave jobs fail, and the admin dashboard throws 500 errors. Simultaneously, if S3-compatible object storage is configured as the Livewire temp disk, PUT requests accumulate thousands of garbage objects, triggering cost alerts and potentially exhausting free-tier quotas. The AI operations team loses visibility into active incidents with no path to recovery short of manual disk cleanup and application restart.

Weaknesses (CWE)

CWE-862 Missing Authorization Primary CWE-862 Missing Authorization

CWE-862 — Missing Authorization: The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

[Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
[Architecture and Design] Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Source: MITRE CWE corpus.