CVE-2026-33330
Received Received - Intake
Broken Access Control in FileRise ONLYOFFICE Allows File Overwrite

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. This issue has been patched in version 3.10.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33330
EUVD
EUVD-2026-14994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filerise filerise to 3.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in FileRise, a self-hosted web file manager and WebDAV server, specifically in its integration with ONLYOFFICE prior to version 3.10.0.

An authenticated user who only has read-only access can exploit a broken access control issue to obtain a signed save callbackUrl for a file.

The attacker can then forge the ONLYOFFICE save callback to overwrite that file with content they control, effectively bypassing intended access restrictions.

This vulnerability was fixed in version 3.10.0 of FileRise.


How can this vulnerability impact me? :

This vulnerability allows an authenticated user with only read-only permissions to overwrite files with attacker-controlled content.

Such unauthorized file modification can lead to data integrity issues, potential data loss, or the introduction of malicious content.

Because the attacker can overwrite files without proper authorization, this could compromise the reliability and trustworthiness of stored data.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been patched in FileRise version 3.10.0. The immediate step to mitigate this vulnerability is to upgrade FileRise to version 3.10.0 or later.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart