Description
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.
Published: 2026-03-20
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access and Secrets Exposure
Action: Immediate Patch
AI Analysis

Impact

FileRise versions before 3.9.0 use a default encryption key (default_please_change_this_key) hardcoded for all cryptographic operations, including HMAC token generation, AES config encryption, and session tokens. Because the key is predictable and not overridden, an attacker can forge upload tokens, allowing arbitrary file uploads to shared folders, and can decrypt administrator configuration, such as OIDC client secrets and SMTP passwords. The weakness represents CWE‑1188 (Use of Hardcoded Salt) and CWE‑798 (Use of Hardcoded Credentials). The impact includes loss of confidentiality and integrity for configuration data and potential unauthorized file placement.

Affected Systems

The flaw affects the FileRise self‑hosted web file manager/WebDAV server in all releases earlier than version 3.9.0. Any deployment that has not set the PERSISTENT_TOKENS_KEY environment variable to a unique, strong value remains vulnerable. No other vendors or products are listed as impacted.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1 % suggests low current exploitation likelihood; FileRise is not in the CISA KEV catalog. Based on the description, the likely attack vector is HTTP based: an unauthenticated attacker crafts requests with forged tokens to upload files. Because the token generation uses the hardcoded key and no authentication is required, remote exploitation is possible without valid credentials, allowing upload of arbitrary files and extraction of sensitive configuration.

Generated by OpenCVE AI on March 23, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FileRise to version 3.9.0 or later, which removes the hardcoded key.
  • If upgrading is not immediately possible, set the PERSISTENT_TOKENS_KEY environment variable to a unique, strong secret to replace the default key.
  • Restrict network access to the FileRise management interface to trusted administrators and enable secure authentication.
  • Monitor application logs for suspicious upload activity and token verification failures.

Generated by OpenCVE AI on March 23, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Filerise
Filerise filerise
CPEs cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*
Vendors & Products Filerise
Filerise filerise

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Error311
Error311 filerise
Vendors & Products Error311
Error311 filerise

Fri, 20 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
Description FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.
Title FileRise: Default Encryption Key Enables Token Forgery and Config Decryption
Weaknesses CWE-1188
CWE-798
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Error311 Filerise
Filerise Filerise
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:07:22.683Z

Reserved: 2026-03-17T19:27:06.344Z

Link: CVE-2026-33072

cve-icon Vulnrichment

Updated: 2026-03-20T16:04:52.939Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T09:16:15.710

Modified: 2026-03-23T15:53:41.367

Link: CVE-2026-33072

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:29:49Z

Weaknesses