Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-33477

CVE-2026-33477: FileRise Auth Bypass Vulnerability

CVE-2026-33477 is an authorization bypass flaw in FileRise that allows users with read_own access to view file snippets from other users in shared folders. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-33477 Overview

CVE-2026-33477 is an authorization bypass vulnerability affecting FileRise, a self-hosted web-based file manager that provides multi-file upload, editing, and batch operations capabilities. The vulnerability exists in the file snippet endpoint (/api/file/snippet.php) where server-side authorization checks fail to properly enforce read_own permissions. This flaw allows an authenticated user with restricted access to retrieve file snippet content from files uploaded by other users within the same folder.

Critical Impact

Authenticated users can access unauthorized file content belonging to other users, potentially exposing sensitive information through hover preview functionality.

Affected Products

  • FileRise versions 2.3.7 through 3.10.0

Discovery Timeline

  • 2026-03-26 - CVE CVE-2026-33477 published to NVD
  • 2026-03-26 - Last updated in NVD database

Technical Details for CVE-2026-33477

Vulnerability Analysis

This vulnerability is classified as CWE-863 (Incorrect Authorization), which occurs when software does not properly perform authorization checks. In the case of FileRise, the read_own permission model is designed to restrict users to viewing only their own uploaded files within a shared folder. However, the /api/file/snippet.php endpoint fails to validate file ownership before returning snippet content, effectively bypassing this access control mechanism.

The flaw specifically affects the hover preview functionality, where users can preview file content without fully opening the file. When a user with read_own permissions requests a snippet, the server returns the content without verifying that the requesting user is the original uploader of the file.

Root Cause

The root cause is a server-side authorization flaw in the read_own enforcement logic for hover previews. The snippet endpoint does not properly check file ownership before serving content, allowing any authenticated user with folder access to retrieve snippets from files they do not own. This represents a horizontal privilege escalation where users can access resources belonging to other users at the same permission level.

Attack Vector

The attack is network-based and requires low-privilege authenticated access. An attacker needs valid credentials with at least read_own permissions on a target folder. By making direct requests to the /api/file/snippet.php endpoint with file identifiers belonging to other users, the attacker can retrieve preview content from files they should not have access to.

The attack does not require user interaction and can be automated to enumerate and extract snippets from all files within accessible folders. While the vulnerability only exposes snippet content rather than complete files, sensitive information such as document headers, code fragments, or personal data could be disclosed.

Detection Methods for CVE-2026-33477

Indicators of Compromise

  • Unusual access patterns to /api/file/snippet.php with file IDs not owned by the requesting user
  • High volume of snippet requests from a single user account across multiple files
  • API access logs showing authenticated users requesting snippets for files outside their ownership scope

Detection Strategies

  • Monitor web server access logs for requests to the snippet endpoint correlating user sessions with file ownership records
  • Implement application-level logging that tracks file ownership verification failures
  • Configure alerts for users accessing an abnormally high number of unique file snippets

Monitoring Recommendations

  • Enable verbose logging on the FileRise application to capture all snippet endpoint requests
  • Cross-reference snippet access logs with file upload metadata to identify unauthorized access attempts
  • Review audit trails for users accessing shared folders with read_own restrictions

How to Mitigate CVE-2026-33477

Immediate Actions Required

  • Upgrade FileRise to version 3.11.0 or later immediately
  • Review access logs for any suspicious snippet endpoint activity prior to patching
  • Audit shared folders using read_own permissions to assess potential data exposure

Patch Information

FileRise has released version 3.11.0 which addresses this authorization bypass vulnerability. The fix implements proper ownership validation in the snippet endpoint before returning file content. Users should upgrade through the standard FileRise update process. For detailed release information, see the GitHub Release v3.11.0 and the GitHub Security Advisory GHSA-62wx-vp78-2p83.

Workarounds

  • Temporarily disable the hover preview/snippet functionality if patching cannot be performed immediately
  • Restrict folder access to only trusted users until the patch is applied
  • Consider temporarily converting read_own permissions to more restrictive access controls
  • Implement network-level access controls to limit who can reach the FileRise application
bash
# Verify FileRise version after upgrade
cat /path/to/filerise/version.txt
# Expected output: 3.11.0 or higher

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne