FileRise is a self-hosted web file manager and WebDAV server used for managing and sharing files. In versions prior to 3.8.0, the POST /api/file/deleteShareLink.php endpoint, which invokes FileController::deleteShareLink(), suffers from a missing authentication vulnerability (CWE-306). This endpoint does not perform any authentication, authorization, or Cross-Site Request Forgery (CSRF) validation before deleting a share link. Consequently, any unauthenticated HTTP client can delete arbitrary file share links by providing only the share token. This results in denial of service to users relying on those share links for file access. The vulnerability does not expose or modify the underlying files themselves but disrupts access by invalidating share links. The CVSS 3.1 base score is 3.7, reflecting a low severity due to the limited impact on confidentiality and availability, high attack complexity, and no privileges or user interaction required. No known exploits are currently reported in the wild. The vulnerability was publicly disclosed on March 20, 2026, and fixed in FileRise version 3.8.0. The root cause is the lack of authentication and authorization checks on a critical function that modifies shared resource access.

The primary impact of this vulnerability is the integrity and availability of shared file access via share links. Attackers can delete share links without authentication, causing denial of service to legitimate users who rely on these links for collaboration or file distribution. While the underlying files remain unaffected and confidential, the disruption can lead to operational inefficiencies, user frustration, and potential business process interruptions. Organizations using FileRise in environments where file sharing is critical may experience degraded productivity or require manual restoration of share links. Since exploitation does not require user interaction or privileges, the attack surface is broad, but the high attack complexity and requirement to know valid share tokens limit mass exploitation. There is no direct impact on confidentiality or system availability beyond share link deletion.

The primary mitigation is to upgrade FileRise to version 3.8.0 or later, where this vulnerability is fixed by adding proper authentication and authorization checks to the deleteShareLink endpoint. Until upgrading, organizations should restrict network access to the FileRise management interfaces to trusted users only, ideally via VPN or internal networks. Implement monitoring and alerting for unusual deletion of share links to detect potential abuse. Consider implementing additional application-layer protections such as Web Application Firewalls (WAFs) to block unauthorized POST requests to the vulnerable endpoint. Educate users to avoid sharing share tokens publicly and rotate share links periodically. If possible, disable or restrict the use of share links until the patch is applied. Review and audit access logs regularly to identify suspicious activity related to share link deletions.