CVE-2026-33072
HIGH
8,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: low
Availability: none
Description
AI Translation Available
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.
798
Use of Hard-coded Credentials
DraftCommon Consequences
Security Scopes Affected:
Access Control
Integrity
Confidentiality
Availability
Other
Potential Impacts:
Bypass Protection Mechanism
Read Application Data
Gain Privileges Or Assume Identity
Execute Unauthorized Code Or Commands
Other
Applicable Platforms
Technologies:
ICS/OT, Mobile
1188
Initialization of a Resource with an Insecure Default
IncompleteCommon Consequences
Security Scopes Affected:
Other
Potential Impacts:
Varies By Context
Applicable Platforms
All platforms may be affected
https://github.com/error311/FileRise/releases/tag/v3.9.0
https://github.com/error311/FileRise/security/advisories/GHSA-f4xx-57cv-mg3x