FileRise is a self-hosted web file manager and WebDAV server that, in versions before 3.9.0, suffers from a critical cryptographic vulnerability identified as CVE-2026-33072. The core issue is the use of a hardcoded default encryption key, 'default_please_change_this_key', embedded in the codebase in two locations. This key, known as PERSISTENT_TOKENS_KEY, is used uniformly across all cryptographic operations including HMAC token generation, AES encryption of configuration data, and session token creation. Because the default key is static and widely known, any unauthenticated attacker can exploit this to forge upload tokens, granting the ability to upload arbitrary files to shared folders without authorization. Furthermore, the attacker can decrypt sensitive administrative secrets stored by FileRise, such as OpenID Connect (OIDC) client secrets and SMTP passwords, compromising confidentiality of critical credentials. The vulnerability stems from CWE-798 (Use of Hard-coded Credentials) and CWE-1188 (Incorrect Access of Indexable Resource in Cryptographic Operation). No authentication or user interaction is required to exploit this flaw, and the attack surface is broad given the default key is used unless explicitly overridden by environment variables during deployment. The vulnerability was publicly disclosed on March 20, 2026, with a CVSS v3.1 score of 8.2 (high severity), reflecting its ease of exploitation and significant confidentiality impact. The issue is resolved in FileRise version 3.9.0, which removes the hardcoded key and enforces proper key management practices.

The impact of CVE-2026-33072 is substantial for organizations deploying vulnerable versions of FileRise. Attackers can gain unauthorized write access to shared folders by forging upload tokens, potentially leading to the introduction of malicious files or web shells, which could facilitate further compromise or lateral movement. The ability to decrypt administrative secrets such as OIDC client credentials and SMTP passwords exposes organizations to credential theft, identity spoofing, and interception or manipulation of email communications. This breach of confidentiality can undermine trust in authentication mechanisms and disrupt secure communications. Although the vulnerability does not directly allow denial of service or full system takeover, the integrity of the file management system is compromised, and sensitive data exposure can lead to broader security incidents. Organizations relying on FileRise for secure file sharing and configuration management are at risk of data breaches, unauthorized access, and potential regulatory non-compliance due to exposure of sensitive credentials.

To mitigate this vulnerability, organizations should immediately upgrade FileRise to version 3.9.0 or later, where the hardcoded default key has been removed and replaced with secure key management. If upgrading is not immediately feasible, administrators must override the default PERSISTENT_TOKENS_KEY environment variable with a strong, unique cryptographic key before deployment to prevent use of the hardcoded key. It is critical to audit existing deployments for the presence of the default key and rotate any exposed secrets, including OIDC client secrets and SMTP passwords, to prevent misuse. Additionally, organizations should implement network-level access controls to restrict access to the FileRise management interface and shared folders, minimizing exposure to unauthenticated attackers. Monitoring file upload activities and logs for anomalous behavior can help detect exploitation attempts. Finally, integrating FileRise deployments with centralized secret management solutions can enhance key security and prevent hardcoding of sensitive credentials in the future.