Web File Manager Vulnerability in FileRise
CVE-2026-33072

8.2HIGH

Key Information:

Vendor: Error311
Status: Filerise
Vendor: CVE Published:; 20 March 2026

What is CVE-2026-33072?

FileRise, a self-hosted web file manager and WebDAV server, suffers from a serious vulnerability in its implementations prior to version 3.9.0. It utilizes a hardcoded default encryption key, which is employed across various cryptographic processes, including HMAC token generation, AES configuration encryption, and session token management. This design oversight permits unauthenticated attackers to forge upload tokens for arbitrary file uploads to shared directories and to decrypt sensitive administrative configuration secrets, including OIDC client details and SMTP credentials. The issue has been resolved in version 3.9.0, urging users to update to mitigate the risk.

Affected Version(s)

FileRise < 3.9.0

References

https://github.com/error311/FileRise/security/advisories/...

x_refsource_CONFIRM

https://github.com/error311/FileRise/releases/tag/v3.9.0

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33072 Data

JSON

Error311

What is CVE-2026-33072?

Affected Version(s)

References

CVSS V3.1

Timeline