CVE-2026-33330
Published: 24 March 2026
Summary
CVE-2026-33330 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Filerise Filerise. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent read-only authenticated users from overwriting files via forged ONLYOFFICE save callbacks.
Applies least privilege to restrict read-only users from performing write operations through the ONLYOFFICE integration.
Monitors software, firmware, and information integrity to identify unauthorized file overwrites resulting from the broken access control.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Broken access control allows read-only authenticated users to forge callbacks and overwrite files, directly enabling unauthorized stored data manipulation (T1565.001) and privilege escalation via exploitation of the authorization flaw (T1068).
NVD Description
FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and…
more
then directly forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. This issue has been patched in version 3.10.0.
Deeper analysisAI
CVE-2026-33330 is a broken access control vulnerability (CWE-863) in the ONLYOFFICE integration of FileRise, a self-hosted web file manager and WebDAV server. It affects FileRise versions prior to 3.10.0, where an authenticated user with read-only access can obtain a signed save callbackUrl for a file and forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N), indicating high integrity impact with low privileges required.
An attacker with authenticated read-only access to FileRise can exploit this issue remotely over the network with low complexity and no user interaction. By obtaining the signed callbackUrl for a target file and forging a save callback request to the ONLYOFFICE integration, the attacker can overwrite the file's contents with arbitrary data, potentially leading to data tampering or privilege escalation within the file management environment.
The vulnerability has been addressed in FileRise version 3.10.0, as detailed in the project's security advisory (GHSA-6c3j-f4x4-36m3), release notes, and the patching commit. Security practitioners should upgrade to version 3.10.0 or later to mitigate the issue.
Details
- CWE(s)