CVE-2026-44460 - Vulnerability Details

Description

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured, the endpoint decrypts and returns the user's existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim's password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim's authenticator device. This vulnerability is fixed in 3.12.0.

Published: 2026-05-27

Score: 7.4 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows an attacker who already knows a victim’s password to retrieve the account’s existing TOTP secret from the /api/totp_setup.php endpoint. The endpoint, when called by a session that has passed only the password check, decrypts and returns the stored secret inside a QR PNG, rather than refusing or generating a new one. With the secret in hand, the attacker can create a valid one‑time code, submit it to /api/totp_verify.php, and authenticate as the victim without using the authenticator device. The weakness is a combination of information disclosure (CWE‑200), broken authentication (CWE‑287), and insecure credentials access (CWE‑306), resulting in full session takeover. The impact is a compromise of confidentiality, integrity, and availability of the affected system for the victim account.

Affected Systems

FileRise, a self‑hosted web‑based file manager. All versions prior to 3.12.0 are vulnerable; the fix was released in 3.12.0.

Risk and Exploitability

The CVSS score of 7.4 indicates serious impact. EPSS is not available, and the issue is not listed in CISA KEV, but the vulnerability can be exploited by anyone who has already compromised a user’s password. The likely attack vector is remote web, requiring disclosure of credentials but not privileged access to the authenticator device. Once exploited, the attacker can gain authenticated sessions and perform any actions the victim can.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

error311

FileRise

affected

Version	Status	Constraints
`< 3.12.0`	affected	—

No data.

Vendor Product Confidence Versions

Error311

Filerise

100%

Version	Status	Scheme	Platform
`[0,3.12.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade FileRise to version 3.12.0 or later to eliminate the endpoint flaw
Restrict access to /api/totp_setup.php so it is only callable after full authentication and only by privileged users
Implement monitoring of /api/totp_setup.php usage and alert on suspicious or repeated calls from accounts with enabled TOTP

Generated by OpenCVE AI on May 27, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/error311/FileRise/security/advisories/GHSA-84hw-8g73-v3f8

History

Thu, 28 May 2026 02:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Error311 Error311 filerise
Vendors & Products		Error311 Error311 filerise

Wed, 27 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured, the endpoint decrypts and returns the user's existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim's password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim's authenticator device. This vulnerability is fixed in 3.12.0.
Title		FileRise: TOTP Bypass via Setup Endpoint Disclosing Existing Secret
Weaknesses		CWE-200 CWE-287 CWE-306
References		https://github.com/error311/FileRise/security/advisories/GHSA-84hw-8g73-v3f8
Metrics		cvssV3_1 `{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Error311 Filerise

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-27T16:39:12.264Z

Updated: 2026-05-27T16:39:12.264Z

Reserved: 2026-05-06T15:49:25.193Z

Link: CVE-2026-44460

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-27T18:16:23.707

Modified: 2026-05-27T18:16:23.707

Link: CVE-2026-44460

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T02:15:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object