CVE-2026-33477: CWE-863: Incorrect Authorization in error311 FileRise
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue.
AI Analysis
Technical Summary
FileRise is a self-hosted web-based file management application supporting multi-file upload, editing, and batch operations. Versions 2.3.7 through 3.10.0 contain an authorization flaw identified as CVE-2026-33477 (CWE-863). The vulnerability exists in the /api/file/snippet.php endpoint, which provides snippet previews of files for hover preview functionality. The flaw arises because the server-side authorization incorrectly enforces the 'read_own' permission, allowing authenticated users with this limited access to retrieve snippet content from files uploaded by other users within the same folder. This means that users can view portions of files they should not have access to, violating confidentiality. The vulnerability does not permit file modification or deletion, nor does it affect availability. Exploitation requires authentication but no additional user interaction. The issue was addressed and fixed in FileRise version 3.11.0. The CVSS v3.1 base score is 4.3, reflecting low complexity and network attack vector but limited impact to confidentiality only. No public exploits or active exploitation have been reported to date.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of file snippet content within shared folders, potentially exposing sensitive information to users who should only have limited read access to their own files. This can lead to breaches of confidentiality and privacy, especially in environments where multiple users share folders but have segregated access rights. Although the vulnerability does not allow modification or deletion of files, the leakage of file snippets could expose intellectual property, personal data, or other confidential information. Organizations relying on FileRise for secure file management may face compliance risks and reputational damage if sensitive data is inadvertently exposed. The risk is heightened in multi-tenant or collaborative environments where users have overlapping folder access but require strict data separation.
Mitigation Recommendations
The most effective mitigation is to upgrade FileRise to version 3.11.0 or later, where the authorization flaw has been corrected. Until upgrading is possible, organizations should consider restricting access to the affected /api/file/snippet.php endpoint via network controls or web application firewalls to prevent unauthorized snippet retrieval. Additionally, review and tighten folder access permissions to minimize the number of users with overlapping folder access, reducing the attack surface. Implement monitoring and logging of API access to detect unusual or unauthorized snippet retrieval attempts. Educate users about the importance of limiting file sharing within folders to trusted parties only. Finally, conduct regular audits of FileRise deployments to ensure they are running supported, patched versions.
Affected Countries
United States, Germany, United Kingdom, France, Canada, Australia, Japan, South Korea, India, Brazil
CVE-2026-33477: CWE-863: Incorrect Authorization in error311 FileRise
Description
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In versiosn 2.3.7 through 3.10.0, the file snippet endpoint `/api/file/snippet.php` allows an authenticated user with only `read_own` access to a folder to retrieve snippet content from files uploaded by other users in the same folder. This is a server-side authorization flaw in the `read_own` enforcement for hover previews. Version 3.11.0 fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
FileRise is a self-hosted web-based file management application supporting multi-file upload, editing, and batch operations. Versions 2.3.7 through 3.10.0 contain an authorization flaw identified as CVE-2026-33477 (CWE-863). The vulnerability exists in the /api/file/snippet.php endpoint, which provides snippet previews of files for hover preview functionality. The flaw arises because the server-side authorization incorrectly enforces the 'read_own' permission, allowing authenticated users with this limited access to retrieve snippet content from files uploaded by other users within the same folder. This means that users can view portions of files they should not have access to, violating confidentiality. The vulnerability does not permit file modification or deletion, nor does it affect availability. Exploitation requires authentication but no additional user interaction. The issue was addressed and fixed in FileRise version 3.11.0. The CVSS v3.1 base score is 4.3, reflecting low complexity and network attack vector but limited impact to confidentiality only. No public exploits or active exploitation have been reported to date.
Potential Impact
The primary impact of this vulnerability is unauthorized disclosure of file snippet content within shared folders, potentially exposing sensitive information to users who should only have limited read access to their own files. This can lead to breaches of confidentiality and privacy, especially in environments where multiple users share folders but have segregated access rights. Although the vulnerability does not allow modification or deletion of files, the leakage of file snippets could expose intellectual property, personal data, or other confidential information. Organizations relying on FileRise for secure file management may face compliance risks and reputational damage if sensitive data is inadvertently exposed. The risk is heightened in multi-tenant or collaborative environments where users have overlapping folder access but require strict data separation.
Mitigation Recommendations
The most effective mitigation is to upgrade FileRise to version 3.11.0 or later, where the authorization flaw has been corrected. Until upgrading is possible, organizations should consider restricting access to the affected /api/file/snippet.php endpoint via network controls or web application firewalls to prevent unauthorized snippet retrieval. Additionally, review and tighten folder access permissions to minimize the number of users with overlapping folder access, reducing the attack surface. Implement monitoring and logging of API access to detect unusual or unauthorized snippet retrieval attempts. Educate users about the importance of limiting file sharing within folders to trusted parties only. Finally, conduct regular audits of FileRise deployments to ensure they are running supported, patched versions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-20T16:16:48.970Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c570d8f4197a8e3bef1eee
Added to database: 3/26/2026, 5:46:00 PM
Last enriched: 3/26/2026, 6:02:36 PM
Last updated: 3/26/2026, 7:43:34 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.