CVE-2026-33330
Received Received - Intake
Broken Access Control in FileRise ONLYOFFICE Allows File Overwrite

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. This issue has been patched in version 3.10.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33330
EUVD
EUVD-2026-14994
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filerise filerise to 3.10.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in FileRise, a self-hosted web file manager and WebDAV server, specifically in its integration with ONLYOFFICE prior to version 3.10.0.

An authenticated user who only has read-only access can exploit a broken access control issue to obtain a signed save callbackUrl for a file.

The attacker can then forge the ONLYOFFICE save callback to overwrite that file with content they control, effectively bypassing intended access restrictions.

This vulnerability was fixed in version 3.10.0 of FileRise.

Impact Analysis

This vulnerability allows an authenticated user with only read-only permissions to overwrite files with attacker-controlled content.

Such unauthorized file modification can lead to data integrity issues, potential data loss, or the introduction of malicious content.

Because the attacker can overwrite files without proper authorization, this could compromise the reliability and trustworthiness of stored data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability has been patched in FileRise version 3.10.0. The immediate step to mitigate this vulnerability is to upgrade FileRise to version 3.10.0 or later.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart