CVE-2026-33072

HIGH 8.2

FileRise: Default Encryption Key Enables Token Forgery and Config Decryption

CVSS Score

8.2

EPSS Score

0.0%

EPSS Percentile

6th

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.

CWE	CWE-798 CWE-1188
Vendor	error311
Product	filerise
Published	Mar 20, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for error311 filerise

Be the first to know when new high vulnerabilities affecting error311 filerise are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

error311 / FileRise

< 3.9.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/error311/FileRise/security/advisories/GHSA-f4xx-57cv-mg3x github.com: https://github.com/error311/FileRise/releases/tag/v3.9.0