Executive Summary

CVE-2026-33070 is a missing-authentication vulnerability in FileRise versions prior to 3.8.0, specifically in the deleteShareLink API endpoint. This endpoint allows any unauthenticated user to delete arbitrary file share links by providing only the share token, without requiring any authentication, authorization, or CSRF validation.

The vulnerable function, FileController::deleteShareLink(), deletes share links directly based on the provided token without security checks. Since share tokens are often exposed in URLs, logs, or browser history, attackers who know or can guess these tokens can delete share links remotely.

This vulnerability enables unauthenticated remote attackers to revoke legitimate recipients’ access to shared files by deleting share links, causing denial of service to shared file access.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing attackers to delete your file share links without any authentication, effectively causing denial of service to anyone relying on those shared links to access files.

Since share tokens can be exposed or guessed, attackers can automate brute-force attempts to delete multiple share links, disrupting file sharing and collaboration.

The impact is limited to integrity (unauthorized deletion of share links) and does not affect confidentiality or availability of the files themselves.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the FileRise server is running a version prior to 3.8.0 and if the POST /api/file/deleteShareLink.php endpoint is accessible without authentication.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows unauthenticated deletion of share links by providing the share token, detection can involve attempting to access or test this endpoint with known or guessed share tokens.'}, {'type': 'paragraph', 'content': 'Commands to detect the vulnerability might include sending POST requests to the vulnerable endpoint with share tokens and observing if deletion occurs without authentication.'}, {'type': 'list_item', 'content': "Use curl to test the deleteShareLink endpoint: curl -X POST 'http://<target>/api/file/deleteShareLink.php' -d 'shareToken=<token>' -v"}, {'type': 'list_item', 'content': 'Check if the share links can be listed without authentication by querying the getShareLinks endpoint.'}, {'type': 'paragraph', 'content': 'If the deletion succeeds or share links are exposed without authentication, the system is vulnerable.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade FileRise to version 3.8.0 or later, where the vulnerability is fixed.

The fix includes requiring authenticated sessions and admin authorization for share-link deletion, enforcing CSRF token validation, and restricting share-link listing to authenticated admins.

Until the upgrade can be performed, restrict access to the vulnerable endpoint by network controls such as firewall rules or web server configuration to prevent unauthenticated access.

Monitor logs for suspicious POST requests to /api/file/deleteShareLink.php and investigate any unauthorized deletion attempts.

Useful 0 Not Useful 0