CVE-2026-44460 Overview
FileRise, a self-hosted web-based file manager, contains an information disclosure vulnerability in versions prior to 3.12.0. The /api/totp_setup.php endpoint is callable from a session in the pending_login_user state, which only requires the password check to pass. When the targeted account already has Time-based One-Time Password (TOTP) configured, the endpoint decrypts and returns the existing TOTP secret embedded in a QR PNG response. An attacker who already possesses the victim's password can extract the live TOTP secret, generate a valid one-time code, and submit it to /api/totp_verify.php to obtain a fully authenticated session. This effectively bypasses multi-factor authentication (MFA) without ever accessing the victim's authenticator device.
Critical Impact
Attackers with valid credentials can bypass TOTP-based MFA, fully compromising any FileRise account before version 3.12.0.
Affected Products
- FileRise versions prior to 3.12.0
- Self-hosted FileRise deployments with TOTP MFA enabled
- All FileRise user accounts with configured TOTP secrets
Discovery Timeline
- 2026-05-27 - CVE-2026-44460 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-44460
Vulnerability Analysis
The vulnerability resides in the authentication state machine implemented by FileRise. After a successful password submission but before TOTP verification, the application places the session in a pending_login_user state. This intermediate state grants insufficient privileges for full application access but should not expose sensitive account material. The /api/totp_setup.php endpoint fails to enforce that restriction, treating the half-authenticated session as authorized to retrieve TOTP enrollment data.
The endpoint is designed to provision new TOTP secrets during initial enrollment. When invoked against an account that has already enrolled, the correct behavior is to refuse the request or generate a fresh, uncommitted secret. Instead, the implementation decrypts the stored secret and returns it inside a QR code PNG, exposing the shared symmetric key needed to generate valid one-time codes. This is classified as Information Exposure [CWE-200].
Root Cause
The root cause is a broken access control check combined with improper state validation in the TOTP setup flow. The endpoint does not distinguish between a freshly authenticated administrative session performing legitimate re-enrollment and a pending_login_user session attempting to harvest existing credentials. The decryption and return of the stored secret occurs unconditionally when the session has passed the password stage.
Attack Vector
The attack requires the victim's password as a precondition, obtained through phishing, password reuse, credential stuffing, or prior breaches. The attacker authenticates against FileRise, reaches the pending_login_user state, and issues a request to /api/totp_setup.php. The server responds with a QR PNG containing the otpauth URI and the Base32-encoded TOTP secret. The attacker parses the QR code, derives the current TOTP code using a standard library, and submits it to /api/totp_verify.php to complete authentication. The MFA control is bypassed without any interaction with the legitimate user's authenticator device.
No verified public exploit code is available. See the GitHub Security Advisory for additional technical detail.
Detection Methods for CVE-2026-44460
Indicators of Compromise
- Requests to /api/totp_setup.php originating from sessions that have not completed TOTP verification.
- Successful /api/totp_verify.php responses immediately following a /api/totp_setup.php call within the same session.
- Authentication events from unfamiliar IP addresses or user-agents shortly after password-only login attempts.
Detection Strategies
- Inspect web server access logs for sequential calls to /api/totp_setup.php and /api/totp_verify.php from the same client during a single login flow.
- Alert on TOTP setup endpoint access for accounts whose TOTP enrollment status is already true.
- Correlate successful logins against geolocation and device fingerprint baselines to identify MFA bypass anomalies.
Monitoring Recommendations
- Enable verbose authentication logging in FileRise and forward logs to a centralized SIEM for correlation.
- Monitor outbound responses from /api/totp_setup.php for PNG payloads served to non-administrative sessions.
- Track rate and frequency of TOTP setup invocations per user account to surface anomalous re-enrollment patterns.
How to Mitigate CVE-2026-44460
Immediate Actions Required
- Upgrade FileRise to version 3.12.0 or later, which contains the official fix.
- Force a password reset and TOTP re-enrollment for all FileRise users to invalidate any secrets that may have been exposed.
- Review authentication logs since deployment for evidence of TOTP setup endpoint abuse.
Patch Information
The vulnerability is fixed in FileRise 3.12.0. The patch enforces that /api/totp_setup.php rejects requests from sessions in the pending_login_user state when the account already has TOTP configured. Refer to the GitHub Security Advisory GHSA-84hw-8g73-v3f8 for upstream fix details.
Workarounds
- Restrict network access to the FileRise application using a reverse proxy or VPN until the upgrade is applied.
- Block external requests to /api/totp_setup.php at the web server or WAF layer for sessions lacking a fully authenticated cookie.
- Rotate all user passwords and TOTP secrets after upgrading to ensure any previously exposed material is invalidated.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
