Broken Access Control in FileRise Web File Manager by error311
CVE-2026-33330

7.1HIGH

Key Information:

Vendor

Error311

Status
Filerise
Vendor
CVE Published:
24 March 2026

What is CVE-2026-33330?

FileRise, a self-hosted web file manager and WebDAV server, is affected by a broken access control vulnerability in its ONLYOFFICE integration. An authenticated user with read-only access can exploit this vulnerability to obtain a signed save callback URL for a file. This allows the user to forge the ONLYOFFICE save callback URL, enabling them to overwrite the original file with content of their choosing. This issue has been addressed in version 3.10.0, making it crucial for users to upgrade to this version to ensure the security of their file management system.

Affected Version(s)

FileRise < 3.10.0

References

https://github.com/error311/FileRise/security/advisories/...
x_refsource_CONFIRM
https://github.com/error311/FileRise/commit/3871f9fd16616...
x_refsource_MISC
https://github.com/error311/FileRise/releases/tag/v3.10.0
x_refsource_MISC

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.