FileRise is a self-hosted web file manager and WebDAV server that prior to version 3.9.0 uses a hardcoded default encryption key ('default_please_change_this_key') for all cryptographic operations. This key, known as PERSISTENT_TOKENS_KEY, is embedded in two places in the codebase and is used for generating HMAC tokens, encrypting configuration data with AES, and securing session tokens. If the deployer does not explicitly override this key via environment variables, the default key remains active, allowing attackers to bypass authentication controls. An unauthenticated attacker can exploit this vulnerability to forge upload tokens, enabling arbitrary file uploads to shared folders. Additionally, the attacker can decrypt sensitive administrative secrets such as OIDC client secrets and SMTP passwords, potentially leading to further compromise of the system and connected services. The vulnerability is classified under CWE-798 (Use of Hard-coded Credentials) and CWE-1188 (Improper Access of Encrypted Data). The issue was publicly disclosed on March 20, 2026, and fixed in FileRise version 3.9.0. The CVSS v3.1 score is 8.2 (High), with an attack vector of network, no privileges required, no user interaction, and a significant confidentiality impact.

The impact of this vulnerability is significant for organizations using vulnerable versions of FileRise. Attackers can gain unauthorized access to upload arbitrary files, potentially leading to malware deployment, defacement, or data exfiltration. The ability to decrypt administrative secrets such as OIDC client secrets and SMTP passwords can facilitate further attacks including privilege escalation, lateral movement, and interception or manipulation of email communications. Confidentiality is severely compromised, while integrity is moderately affected due to unauthorized file uploads. Availability impact is low as the vulnerability does not directly enable denial of service. Since exploitation requires no authentication or user interaction and can be performed remotely over the network, the threat is highly accessible to attackers. Organizations relying on FileRise for sensitive file management or integration with identity providers and email systems are at elevated risk, especially if they have not updated to version 3.9.0 or have not overridden the default encryption key.

To mitigate this vulnerability, organizations should immediately upgrade FileRise to version 3.9.0 or later, where the hardcoded key issue is resolved. If upgrading is not immediately possible, administrators must ensure that the PERSISTENT_TOKENS_KEY environment variable is explicitly set to a strong, unique cryptographic key, replacing the default hardcoded value. Regularly audit configuration files and environment variables to verify that no default keys remain in use. Implement network-level access controls to restrict exposure of the FileRise service to trusted networks and users only. Monitor logs for suspicious upload token usage or unauthorized file uploads. Consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block anomalous token generation or upload attempts. Finally, rotate any potentially compromised secrets such as OIDC client credentials and SMTP passwords to prevent further misuse.