Skip to main content

Filerise EUVDEUVD-2026-13643

| CVE-2026-33072 HIGH
Use of Hard-coded Credentials (CWE-798)
2026-03-20 GitHub_M
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:19 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.9.0
EUVD ID Assigned
Mar 20, 2026 - 08:45 euvd
EUVD-2026-13643
Analysis Generated
Mar 20, 2026 - 08:45 vuln.today
CVE Published
Mar 20, 2026 - 08:31 nvd
HIGH 8.2

DescriptionGitHub Advisory

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations - HMAC token generation, AES config encryption, and session tokens - allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.

AnalysisAI

FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. No evidence of active exploitation (not in CISA KEV) is currently available, though the vulnerability is straightforward to exploit given the hardcoded nature of the default key.

Technical ContextAI

FileRise (CPE: cpe:2.3:a:error311:filerise:*:*:*:*:*:*:*:*) is a self-hosted web file manager with WebDAV server capabilities. This vulnerability represents CWE-798 (Use of Hard-coded Credentials), where a single cryptographic key (PERSISTENT_TOKENS_KEY) with the hardcoded default value 'default_please_change_this_key' is used across all security-sensitive operations. The key is embedded in the codebase in multiple locations and is only changed if deployers explicitly override the environment variable. This design flaw affects three critical security functions: HMAC-based upload token generation for shared folders, AES encryption of administrative configuration data, and session token generation for authentication. The vulnerability allows complete cryptographic compromise of any FileRise installation that has not manually changed the default key.

RemediationAI

Immediately upgrade FileRise to version 3.9.0 or later, which addresses the hardcoded key vulnerability according to the release notes at https://github.com/error311/FileRise/releases/tag/v3.9.0. Review the GitHub security advisory at https://github.com/error311/FileRise/security/advisories/GHSA-f4xx-57cv-mg3x for complete remediation guidance. If immediate patching is not possible, manually set the PERSISTENT_TOKENS_KEY environment variable to a cryptographically random value of sufficient length, rotate all existing session tokens, and regenerate any OIDC client secrets or SMTP passwords that may have been encrypted with the default key. Additionally, audit logs for any unauthorized file uploads or suspicious authentication activity that may indicate prior exploitation, and consider restricting network access to FileRise instances to trusted IP ranges until patching is complete.

Share

EUVD-2026-13643 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy