CVE-2026-33070

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-33070
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, a missing-authentication vulnerability in the deleteShareLink endpoint allows any unauthenticated user to delete arbitrary file share links by providing only the share token, causing denial of service to shared file access. The POST /api/file/deleteShareLink.php endpoint calls FileController::deleteShareLink() which performs no authentication, authorization, or CSRF validation before deleting a share link. Any anonymous HTTP client can destroy share links. This issue is fixed in version 3.8.0.

3.7 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/error311/FileRise/releases/tag/v3.8.0 Product Release Notes
https://github.com/error311/FileRise/security/advisories/GHSA-vh5m-w36c-99xv Exploit Mitigation Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*
History

23 Mar 2026, 15:33

Type Values Removed Values Added
CPE cpe:2.3:a:filerise:filerise:*:*:*:*:*:*:*:*
First Time Filerise
Filerise filerise
Summary
  • (es) FileRise es un gestor de archivos web / servidor WebDAV autoalojado. En versiones anteriores a la 3.8.0, una vulnerabilidad de autenticación faltante en el endpoint deleteShareLink permite a cualquier usuario no autenticado eliminar enlaces de archivos compartidos arbitrarios proporcionando solo el token de compartición, causando denegación de servicio al acceso a archivos compartidos. El endpoint POST /api/file/deleteShareLink.php llama a FileController::deleteShareLink() que no realiza ninguna autenticación, autorización o validación CSRF antes de eliminar un enlace de compartición. Cualquier cliente HTTP anónimo puede destruir enlaces de compartición. Este problema está solucionado en la versión 3.8.0.
References () https://github.com/error311/FileRise/releases/tag/v3.8.0 - () https://github.com/error311/FileRise/releases/tag/v3.8.0 - Product, Release Notes
References () https://github.com/error311/FileRise/security/advisories/GHSA-vh5m-w36c-99xv - () https://github.com/error311/FileRise/security/advisories/GHSA-vh5m-w36c-99xv - Exploit, Mitigation, Vendor Advisory

20 Mar 2026, 09:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-20 09:16

Updated : 2026-03-23 15:33

NVD link : CVE-2026-33070

Mitre link : CVE-2026-33070

CVE.ORG link : CVE-2026-33070

JSON object : View

Products Affected

filerise

  • filerise
CWE
CWE-306

Missing Authentication for Critical Function