CVE-2026-33072
Published: 20 March 2026
Summary
CVE-2026-33072 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Filerise Filerise. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-12 (Cryptographic Key Establishment and Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires establishment and management of cryptographic keys, directly preventing the use of hardcoded default keys for HMAC, AES, and session tokens.
Mandates secure configuration settings, ensuring the PERSISTENT_TOKENS_KEY environment variable is overridden with a unique strong value instead of the hardcoded default.
Requires timely flaw remediation through patching to version 3.9.0, which fixes the hardcoded key vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded default key directly enables forging auth/upload/session tokens (T1606) for unauthorized access/uploads and decrypting config secrets/credentials (T1552) in a public-facing web/WebDAV app (T1190).
NVD Description
FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, and session tokens — allowing any…
more
unauthenticated attacker to forge upload tokens for arbitrary file upload to shared folders, and to decrypt admin configuration secrets including OIDC client secrets and SMTP passwords. FileRise uses a single key (PERSISTENT_TOKENS_KEY) for all crypto operations. The default value default_please_change_this_key is hardcoded in two places and used unless the deployer explicitly overrides the environment variable. This issue is fixed in version 3.9.0.
Deeper analysisAI
CVE-2026-33072 affects FileRise, a self-hosted web file manager and WebDAV server, in versions prior to 3.9.0. The vulnerability stems from a hardcoded default encryption key named "default_please_change_this_key," which is used for all cryptographic operations including HMAC token generation, AES encryption of configuration data, and session tokens. This key, set via the PERSISTENT_TOKENS_KEY environment variable and hardcoded in two locations, is employed unless explicitly overridden by the deployer. It has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWEs-798 (Use of Hard-coded Credentials) and CWE-1188 (Insecure Default Initialization of Resource).
Unauthenticated attackers can exploit this over the network with low complexity and no user interaction. By knowing the default key, they can forge upload tokens to perform arbitrary file uploads to shared folders and decrypt sensitive admin configuration secrets, such as OIDC client secrets and SMTP passwords.
The issue is fixed in FileRise version 3.9.0, as detailed in the project's GitHub release notes and security advisory (GHSA-f4xx-57cv-mg3x). Deployers must override the PERSISTENT_TOKENS_KEY environment variable with a unique, strong value to mitigate the risk in affected versions.
Details
- CWE(s)