FileRise is a self-hosted web file manager and WebDAV server that allows users to share files via generated share links. In versions prior to 3.8.0, the POST /api/file/deleteShareLink.php endpoint, which is responsible for deleting share links, suffers from a missing authentication vulnerability (CWE-306). Specifically, the FileController::deleteShareLink() function does not perform any authentication, authorization, or Cross-Site Request Forgery (CSRF) validation before deleting a share link. As a result, any unauthenticated HTTP client can invoke this endpoint with a valid share token and delete arbitrary share links. This leads to denial of service for users relying on those share links to access files. The vulnerability does not allow attackers to access or modify file contents directly, nor does it impact system availability beyond the deletion of share links. The CVSS 3.1 score is 3.7 (low), reflecting the limited impact and the requirement of knowing a valid share token. No known exploits are reported in the wild. The vulnerability was publicly disclosed on March 20, 2026, and fixed in FileRise version 3.8.0.

The primary impact of this vulnerability is the unauthorized deletion of file share links, which disrupts legitimate users' ability to access shared files. This can cause operational inconvenience and potential workflow interruptions, especially in environments relying heavily on FileRise for file sharing and collaboration. Since attackers cannot access file contents or system resources, confidentiality and availability impacts are minimal. However, the integrity of shared links is compromised, which could erode user trust and require administrative overhead to recreate share links. Organizations with critical file sharing needs or those using FileRise in production environments may experience moderate operational disruption. The low CVSS score reflects the limited scope and impact, but the risk increases if attackers can enumerate or guess valid share tokens.

The definitive mitigation is to upgrade FileRise to version 3.8.0 or later, where this vulnerability is fixed by enforcing proper authentication and authorization checks on the deleteShareLink endpoint. Until upgrade is possible, organizations should restrict access to the FileRise management interface and API endpoints via network-level controls such as firewalls or VPNs to trusted users only. Implementing Web Application Firewall (WAF) rules to detect and block unauthorized POST requests to /api/file/deleteShareLink.php can provide temporary protection. Additionally, monitoring logs for unusual deletion activity and share link removals can help detect exploitation attempts. Administrators should educate users to avoid sharing tokens publicly and consider rotating share tokens if suspicious activity is detected. Finally, applying strict access controls and isolating FileRise instances from public internet exposure reduces attack surface.