CVE-2026-33072

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 3.9.0

Description FileRise is a self-hosted web file manager and WebDAV server. Versions prior to 3.9.0 utilize a hardcoded default encryption key (default please change this key) for all cryptographic operations, including HMAC token generation, AES configuration encryption, and session tokens. This allows an unauthenticated attacker to forge upload tokens, enabling arbitrary file uploads to shared folders, and to decrypt administrator configuration secrets, such as OIDC client secrets and SMTP passwords. The software uses a single key (PERSISTENT TOKENS KEY) for all cryptographic operations, and the default value is used unless explicitly overridden by the deployer through an environment variable.

Recommendations Versions prior to 3.9.0 should be updated to version 3.9.0 or later.