CVE-2026-33070
Authentication Bypass in FileRise Allows Unauthorized Share Link Deletion
Publication date: 2026-03-20
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filerise | filerise | to 3.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33070 is a missing-authentication vulnerability in FileRise versions prior to 3.8.0, specifically in the deleteShareLink API endpoint. This endpoint allows any unauthenticated user to delete arbitrary file share links by providing only the share token, without requiring any authentication, authorization, or CSRF validation.
The vulnerable function, FileController::deleteShareLink(), deletes share links directly based on the provided token without security checks. Since share tokens are often exposed in URLs, logs, or browser history, attackers who know or can guess these tokens can delete share links remotely.
This vulnerability enables unauthenticated remote attackers to revoke legitimate recipientsβ access to shared files by deleting share links, causing denial of service to shared file access.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to delete your file share links without any authentication, effectively causing denial of service to anyone relying on those shared links to access files.
Since share tokens can be exposed or guessed, attackers can automate brute-force attempts to delete multiple share links, disrupting file sharing and collaboration.
The impact is limited to integrity (unauthorized deletion of share links) and does not affect confidentiality or availability of the files themselves.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the FileRise server is running a version prior to 3.8.0 and if the POST /api/file/deleteShareLink.php endpoint is accessible without authentication.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows unauthenticated deletion of share links by providing the share token, detection can involve attempting to access or test this endpoint with known or guessed share tokens.'}, {'type': 'paragraph', 'content': 'Commands to detect the vulnerability might include sending POST requests to the vulnerable endpoint with share tokens and observing if deletion occurs without authentication.'}, {'type': 'list_item', 'content': "Use curl to test the deleteShareLink endpoint: curl -X POST 'http://<target>/api/file/deleteShareLink.php' -d 'shareToken=<token>' -v"}, {'type': 'list_item', 'content': 'Check if the share links can be listed without authentication by querying the getShareLinks endpoint.'}, {'type': 'paragraph', 'content': 'If the deletion succeeds or share links are exposed without authentication, the system is vulnerable.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade FileRise to version 3.8.0 or later, where the vulnerability is fixed.
The fix includes requiring authenticated sessions and admin authorization for share-link deletion, enforcing CSRF token validation, and restricting share-link listing to authenticated admins.
Until the upgrade can be performed, restrict access to the vulnerable endpoint by network controls such as firewall rules or web server configuration to prevent unauthenticated access.
Monitor logs for suspicious POST requests to /api/file/deleteShareLink.php and investigate any unauthorized deletion attempts.