CVE-2026-33070 Overview
CVE-2026-33070 is a missing-authentication vulnerability affecting FileRise, a self-hosted web file manager and WebDAV server. In versions prior to 3.8.0, the deleteShareLink endpoint lacks authentication controls, allowing any unauthenticated user to delete arbitrary file share links by simply providing the share token. This vulnerability enables denial of service attacks against shared file access capabilities.
Critical Impact
Unauthenticated attackers can delete arbitrary file share links, disrupting file sharing operations and causing denial of service to legitimate users relying on shared access.
Affected Products
- FileRise versions prior to 3.8.0
- Self-hosted FileRise WebDAV server installations
- All platforms running vulnerable FileRise deployments
Discovery Timeline
- 2026-03-20 - CVE-2026-33070 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33070
Vulnerability Analysis
This vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The POST /api/file/deleteShareLink.php endpoint directly calls FileController::deleteShareLink() without implementing any authentication, authorization, or CSRF validation mechanisms before executing the share link deletion operation.
The absence of security controls means that any anonymous HTTP client with knowledge of a share token can destroy legitimate share links. This design flaw exposes the file sharing functionality to trivial abuse, as share tokens may be observable in URLs or could be enumerated by attackers.
The vulnerability requires network access and some level of complexity to exploit (obtaining valid share tokens), but once tokens are known, exploitation is straightforward. The impact includes loss of integrity (share links deleted without authorization) and availability (legitimate users lose access to shared files).
Root Cause
The root cause is the complete absence of authentication and authorization checks in the FileController::deleteShareLink() method. The endpoint was implemented without verifying that the requesting user has ownership or administrative privileges over the share link being deleted. Additionally, no CSRF protection was implemented, making the endpoint vulnerable to cross-site attacks.
Attack Vector
The attack vector is network-based, requiring the attacker to send HTTP POST requests to the vulnerable endpoint. An attacker who obtains or guesses a valid share token can craft a malicious request to the /api/file/deleteShareLink.php endpoint to delete the corresponding share link.
The exploitation mechanism involves sending an unauthenticated POST request to the vulnerable endpoint with a target share token. Since no session validation or ownership checks are performed, the server processes the deletion request regardless of who initiated it. Attackers could potentially enumerate share tokens or intercept them through network monitoring to discover valid targets.
Detection Methods for CVE-2026-33070
Indicators of Compromise
- Unusual volume of POST requests to /api/file/deleteShareLink.php from external or unauthenticated sources
- Multiple share link deletion events occurring in rapid succession without corresponding authenticated user sessions
- HTTP access logs showing requests to the deleteShareLink endpoint from unexpected IP addresses
Detection Strategies
- Monitor web server access logs for unauthenticated requests to /api/file/deleteShareLink.php
- Implement alerting on anomalous patterns of share link deletions, particularly bulk deletions in short timeframes
- Review application logs for FileController::deleteShareLink() invocations that lack associated authenticated sessions
- Deploy web application firewalls (WAF) with rules to detect and block suspicious requests to the vulnerable endpoint
Monitoring Recommendations
- Enable detailed logging on the FileRise application to capture all share link deletion events with source IP information
- Set up network monitoring to detect reconnaissance activity against file sharing endpoints
- Implement rate limiting on sensitive API endpoints as an additional detection and mitigation layer
- Consider deploying intrusion detection systems (IDS) with signatures for this vulnerability pattern
How to Mitigate CVE-2026-33070
Immediate Actions Required
- Upgrade FileRise to version 3.8.0 or later immediately
- Audit recent share link deletion logs to identify potential exploitation attempts
- Temporarily restrict network access to the /api/file/deleteShareLink.php endpoint if immediate patching is not possible
- Review and regenerate critical share links that may have been targeted
Patch Information
FileRise version 3.8.0 addresses this vulnerability by implementing proper authentication and authorization checks on the deleteShareLink endpoint. The fix ensures that only authenticated users with appropriate permissions can delete share links. Users should upgrade to version 3.8.0 or later by downloading the release from the GitHub Release v3.8.0. For additional details, refer to the GitHub Security Advisory GHSA-vh5m-w36c-99xv.
Workarounds
- Implement web server or reverse proxy access controls to require authentication for all API endpoints
- Use firewall rules to restrict access to the FileRise API from trusted IP addresses only
- Deploy a web application firewall (WAF) to block unauthenticated requests to sensitive endpoints
- Temporarily disable the share link functionality if not critical to operations until patching is complete
# Example: Restrict access to deleteShareLink endpoint via Apache configuration
<Location "/api/file/deleteShareLink.php">
Require valid-user
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/apache2/.htpasswd
</Location>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
