Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations - HMAC token generation, AES config encryption, and session tokens - allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.
AnalysisAI
FileRise, a self-hosted web file manager and WebDAV server, contains a critical hardcoded encryption key vulnerability in versions prior to 3.9.0. The default key 'default_please_change_this_key' is used for all cryptographic operations including HMAC token generation, AES configuration encryption, and session tokens, allowing unauthenticated attackers to forge upload tokens for arbitrary file upload and decrypt sensitive admin configuration data such as OIDC client secrets and SMTP passwords. No evidence of active exploitation (not in CISA KEV) is currently available, though the vulnerability is straightforward to exploit given the hardcoded nature of the default key.
Technical ContextAI
FileRise (CPE: cpe:2.3:a:error311:filerise:*:*:*:*:*:*:*:*) is a self-hosted web file manager with WebDAV server capabilities. This vulnerability represents CWE-798 (Use of Hard-coded Credentials), where a single cryptographic key (PERSISTENT_TOKENS_KEY) with the hardcoded default value 'default_please_change_this_key' is used across all security-sensitive operations. The key is embedded in the codebase in multiple locations and is only changed if deployers explicitly override the environment variable. This design flaw affects three critical security functions: HMAC-based upload token generation for shared folders, AES encryption of administrative configuration data, and session token generation for authentication. The vulnerability allows complete cryptographic compromise of any FileRise installation that has not manually changed the default key.
RemediationAI
Immediately upgrade FileRise to version 3.9.0 or later, which addresses the hardcoded key vulnerability according to the release notes at https://github.com/error311/FileRise/releases/tag/v3.9.0. Review the GitHub security advisory at https://github.com/error311/FileRise/security/advisories/GHSA-f4xx-57cv-mg3x for complete remediation guidance. If immediate patching is not possible, manually set the PERSISTENT_TOKENS_KEY environment variable to a cryptographically random value of sufficient length, rotate all existing session tokens, and regenerate any OIDC client secrets or SMTP passwords that may have been encrypted with the default key. Additionally, audit logs for any unauthorized file uploads or suspicious authentication activity that may indicate prior exploitation, and consider restricting network access to FileRise instances to trusted IP ranges until patching is complete.
Unauthenticated directory traversal in FileRise prior to version 3.3.0 allows remote attackers to read arbitrary files f
Unauthenticated administrator account takeover in FileRise before 3.16.0 is possible via a path traversal flaw in the sh
FileRise versions before 3.3.0 contain an HTML injection vulnerability that allows authenticated users to manipulate the
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 2.2.3,
FileRise, a self-hosted web file manager and WebDAV server, contains a path traversal vulnerability in its Resumable.js
A broken access control vulnerability in FileRise's ONLYOFFICE integration allows authenticated users with read-only per
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13643