CVE-2026-33071 Overview
CVE-2026-33071 is an unrestricted file upload vulnerability in FileRise, a self-hosted web file manager and WebDAV server. The vulnerability exists in versions prior to 3.8.0 where the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In non-default deployments lacking Apache's LocationMatch protection, this flaw enables remote code execution.
Critical Impact
Authenticated attackers can upload malicious server-side executable files via WebDAV to achieve remote code execution on vulnerable FileRise installations lacking proper Apache configuration protections.
Affected Products
- FileRise versions prior to 3.8.0
- Self-hosted FileRise WebDAV server deployments
- Non-default deployments without Apache LocationMatch protection
Discovery Timeline
- 2026-03-20 - CVE-2026-33071 published to NVD
- 2026-03-23 - Last updated in NVD database
Technical Details for CVE-2026-33071
Vulnerability Analysis
This vulnerability stems from inconsistent input validation between two file upload pathways within FileRise. While the regular upload endpoint properly validates filenames against a defined regular expression pattern (REGEX_FILE_NAME), the WebDAV upload endpoint bypasses this validation entirely. This creates a dangerous discrepancy where attackers with authenticated access can leverage the WebDAV protocol to upload files with dangerous extensions that would otherwise be blocked.
The vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type), representing a common but serious security flaw in web applications that handle file uploads. The impact is particularly severe because successfully exploiting this vulnerability can lead to complete system compromise through arbitrary code execution on the server.
Root Cause
The root cause lies in the createFile() method in FileRiseDirectory.php and the put() method in FileRiseFile.php. When files are uploaded via WebDAV, these methods accept the filename directly from the WebDAV client without any validation. In contrast, the regular upload endpoint in UploadModel::upload() validates filenames against REGEX_FILE_NAME to block dangerous file extensions. This architectural inconsistency means that the WebDAV pathway offers an unprotected route for uploading malicious files.
Attack Vector
The attack requires network access and low-level authenticated privileges on the FileRise system. An attacker can craft WebDAV PUT requests with server-side executable file extensions such as .php, .phtml, .php5, or even .htaccess files that could modify server configuration. Once uploaded, the attacker can trigger execution of the malicious file by requesting it through the web server, resulting in arbitrary code execution with the privileges of the web server process.
The vulnerability is especially dangerous in deployments that lack Apache's LocationMatch directive protection, which would otherwise restrict execution of uploaded files. Administrators who have not configured this additional defense layer are at heightened risk.
Detection Methods for CVE-2026-33071
Indicators of Compromise
- Unexpected files with extensions such as .php, .phtml, .php5, or .htaccess appearing in FileRise upload directories
- WebDAV PUT requests containing server-side executable file extensions in access logs
- Unexplained web server processes spawning shell commands or making outbound network connections
- Modified .htaccess files in upload directories that may indicate configuration tampering
Detection Strategies
- Monitor WebDAV access logs for PUT requests with dangerous file extensions (.php, .phtml, .php5, .htaccess)
- Implement file integrity monitoring on FileRise upload directories to detect unauthorized server-side scripts
- Deploy web application firewall (WAF) rules to block WebDAV uploads containing executable file extensions
- Review Apache configuration to ensure LocationMatch directives are properly restricting executable content in upload paths
Monitoring Recommendations
- Enable detailed logging for WebDAV operations and correlate with file system changes
- Configure alerts for any new executable files created in FileRise managed directories
- Audit authenticated user activities targeting WebDAV endpoints for anomalous upload patterns
- Monitor web server error logs for unexpected script execution attempts in upload directories
How to Mitigate CVE-2026-33071
Immediate Actions Required
- Upgrade FileRise to version 3.8.0 or later immediately to patch the vulnerability
- Audit existing upload directories for any suspicious server-side executable files
- Ensure Apache LocationMatch protection is configured to prevent execution of files in upload directories
- Temporarily disable WebDAV functionality if immediate patching is not possible
Patch Information
FileRise version 3.8.0 addresses this vulnerability by implementing consistent filename validation across both the regular upload and WebDAV upload endpoints. The patch ensures that the createFile() and put() methods in the WebDAV handling code now apply the same REGEX_FILE_NAME validation that protects the regular upload path. See the GitHub Release v3.8.0 for complete patch details.
For additional technical details about this security issue, refer to the GitHub Security Advisory GHSA-46gv-gf5f-wvr2.
Workarounds
- Apply Apache LocationMatch directives to restrict execution of server-side scripts in FileRise upload directories until patching is complete
- Implement a web application firewall rule to filter WebDAV PUT requests containing dangerous file extensions
- Restrict WebDAV access to trusted internal networks or disable WebDAV functionality entirely if not required
- Use file system permissions to prevent the web server from executing files in upload directories
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
