EUVD-2026-13643
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
3Description
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations - HMAC token generation, AES config encryption, and session tokens - allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.
Analysis
FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all FileRise deployments and versions; assess whether exposed credentials (OIDC, SMTP) have been rotated; implement network access controls to restrict FileRise to trusted IPs only. Within 7 days: Rotate all OIDC client secrets, SMTP passwords, and session tokens; consider disabling FileRise temporarily if remediation cannot be completed; implement enhanced logging and monitoring for suspicious upload activity. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today