• Severity score:4.6
• CVSS score: Medium
• Security risk details:

  MIME type validation for file attachments doesn't take place in multi-extension processing or when null bytes are present. This allows attackers to circumvent the glide.attachment.extensions and glide.security.file.mime_type.validation system properties through null-byte injection, multi-extension file names and polyglot files, leading to malicious file uploads.

When the glide.attachment.enable_secure_filename_validation property is set to true:

• Uploads that previously passed may now be rejected.
• Integrations or automations that rely on generating file names with multiple dots or unusual patterns may fail until updated.
• Custom UI pages, scoped apps, or API consumers that upload files programmatically (especially with templated file names) may hit validation errors.
• CI/CD pipelines that import files, ATF tests, or legacy scripts may need updates to ensure compliant file names.

Functionality that does not rely on unsafe file name patterns continue to work normally.