CVE-2026-33072 in FileRise
Summary
by MITRE • 03/20/2026
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability in FileRise versions prior to 3.9.0 represents a critical cryptographic weakness that undermines the security posture of the web file manager and WebDAV server. This flaw stems from the implementation of a hardcoded default encryption key that is embedded directly into the application code, specifically the value default_please_change_this_key which serves as the persistent token key for all cryptographic operations. The vulnerability affects multiple security mechanisms within the system including HMAC token generation for file uploads, AES encryption of configuration files, and session token management. The hardcoded nature of this key means that any attacker who can access the application can exploit this weakness without requiring any authentication credentials or prior access to the system.
The technical implementation of this vulnerability allows for a comprehensive attack surface that spans across multiple security domains. The single key PERSISTENT_TOKENS_KEY is used across all cryptographic operations, creating a cascading security failure where compromising one aspect of the system immediately compromises all other security mechanisms. This design flaw violates fundamental security principles by failing to implement proper key management practices and demonstrates a lack of adherence to established cryptographic best practices. The default value is hardcoded in two separate locations within the application code, ensuring that regardless of deployment configuration, the same vulnerable key is always used unless explicitly overridden by the system administrator. This creates an inherent security risk that exists from the moment of installation and persists until the administrator actively changes the configuration.
The operational impact of this vulnerability is severe and multifaceted, enabling attackers to perform arbitrary file uploads to shared folders through forged upload tokens. This capability allows for potential code execution, data exfiltration, and system compromise through malicious file uploads. Additionally, the vulnerability permits decryption of sensitive administrative configuration secrets including OpenID Connect client secrets and SMTP passwords, which could lead to further privilege escalation and lateral movement within the network. The unauthenticated nature of the attack means that no prior access or credentials are required to exploit this vulnerability, making it particularly dangerous in environments where FileRise is exposed to untrusted networks. This vulnerability directly maps to CWE-327 (Use of a Broken or Risky Cryptographic Algorithm) and CWE-320 (Key Management Errors) while also aligning with ATT&CK techniques related to credential access and privilege escalation through hardcoded credentials.
The mitigation strategy for this vulnerability requires immediate deployment of FileRise version 3.9.0 or later, which addresses the hardcoded key issue through proper key management implementation. System administrators should verify that the PERSISTENT_TOKENS_KEY environment variable is properly configured with a strong, randomly generated cryptographic key that is unique to each deployment. The fix should be accompanied by comprehensive security auditing to ensure that no other hardcoded cryptographic values exist within the application. Organizations should implement proper key rotation procedures and establish security policies requiring regular key updates. This vulnerability highlights the importance of following security standards such as NIST SP 800-57 for key management and adheres to ATT&CK framework principles for identifying and mitigating credential exposure vulnerabilities. The remediation process should also include network segmentation and access controls to limit exposure of FileRise installations to untrusted networks, while implementing monitoring for unauthorized configuration changes or suspicious file upload activities.