What is the CVSS score of CVE-2026-33072?

CVE-2026-33072 has a CVSS 3.1 base score of 8.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of FileRise are affected by CVE-2026-33072?

FileRise versions prior to 3.9.0 contain a hardcoded encryption key that enables unauthenticated attackers to forge file upload tokens and decrypt sensitive administrative credentials including OIDC…. A patch is available.

How to fix or mitigate CVE-2026-33072?

Within 24 hours: Identify all FileRise instances in your environment and document current versions. Within 7 days: Upgrade FileRise to version 3.9.0 or later; rotate all OIDC client secrets and SMTP credentials stored in FileRise configuration. Within 30 days: Conduct access logs review for suspicious file uploads during the vulnerability window, and implement configuration management to prevent hardcoded secrets in future deployments.

FileRise CVE-2026-33072

EUVD-2026-13643 HIGH

Use of Hard-coded Credentials (CWE-798)

2026-03-20 GitHub_M

Authentication Bypass File Upload

8.2

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:19 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

3.9.0

EUVD ID Assigned

Mar 20, 2026 - 08:45 euvd

EUVD-2026-13643

Analysis Generated

Mar 20, 2026 - 08:45 vuln.today

CVE Published

Mar 20, 2026 - 08:31 nvd

HIGH 8.2

DescriptionNVD

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations - HMAC token generation, AES config encryption, and session tokens - allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.

AnalysisAI

FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. …

RemediationAI

Within 24 hours: Identify all FileRise instances in your environment and document current versions. Within 7 days: Upgrade FileRise to version 3.9.0 or later; rotate all OIDC client secrets and SMTP credentials stored in FileRise configuration. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-33072 vulnerability details – vuln.today

Back

FileRise CVE-2026-33072

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code