FileRise, a self-hosted web-based file manager, has a vulnerability (CVE-2026-44460) affecting versions before 3.12.0. The /api/totp_setup.php endpoint can be accessed after only passing the password check but before full login. If the target account has TOTP configured, the endpoint decrypts and returns the existing TOTP secret embedded in the QR code PNG instead of denying access or generating a new secret. An attacker with the victim's password can extract this secret, generate valid TOTP codes, and bypass the need for the physical authenticator device by submitting codes to /api/totp_verify.php, gaining a fully authenticated session. This issue is classified under CWE-200 (Exposure of Sensitive Information), CWE-287 (Improper Authentication), and CWE-306 (Missing Authentication for Critical Function). The vulnerability has a CVSS 3.1 score of 7.4 (High severity).

An attacker who has obtained a victim's password can retrieve the victim's live TOTP secret, enabling them to generate valid one-time codes and bypass two-factor authentication. This leads to full account compromise without needing the victim's authenticator device. The confidentiality and integrity of user accounts are severely impacted. There is no indication of denial of service or availability impact. No known exploits in the wild have been reported at this time.

This vulnerability is fixed in FileRise version 3.12.0. Users should upgrade to version 3.12.0 or later to remediate this issue. Since this is a self-hosted product, administrators must apply the update manually. Patch status is not explicitly stated beyond the fix in 3.12.0, so verify with the vendor advisory for any additional guidance. No other mitigations are indicated.