EUVD-2026-32584CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionNVD
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured, the endpoint decrypts and returns the user's existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim's password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim's authenticator device. This vulnerability is fixed in 3.12.0.
AnalysisAI
Two-factor authentication bypass via TOTP secret disclosure affects FileRise self-hosted file manager before 3.12.0, where the /api/totp_setup.php endpoint can be reached from the intermediate 'pending_login_user' session state that exists after a correct password but before the TOTP check. For accounts that already have TOTP enabled, the endpoint decrypts and returns the existing TOTP secret inside the enrollment QR PNG rather than refusing, so an attacker who already holds the victim's password can extract the seed, compute a valid one-time code, and complete login without the victim's authenticator. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all FileRise deployments and versions; flag systems handling sensitive data as priority. Within 7 days: Update all instances to FileRise 3.12.0 or later; after patching, require all users with TOTP enabled to re-enroll with new secrets. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today