CVE-2026-33330
Received Received - Intake

Broken Access Control in FileRise ONLYOFFICE Allows File Overwrite

Vulnerability report for CVE-2026-33330, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save callback to overwrite that file with attacker-controlled content. This issue has been patched in version 3.10.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-07-06
AI Q&A
2026-03-24
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
filerise filerise to 3.10.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in FileRise, a self-hosted web file manager and WebDAV server, specifically in its integration with ONLYOFFICE prior to version 3.10.0.

An authenticated user who only has read-only access can exploit a broken access control issue to obtain a signed save callbackUrl for a file.

The attacker can then forge the ONLYOFFICE save callback to overwrite that file with content they control, effectively bypassing intended access restrictions.

This vulnerability was fixed in version 3.10.0 of FileRise.

Impact Analysis

This vulnerability allows an authenticated user with only read-only permissions to overwrite files with attacker-controlled content.

Such unauthorized file modification can lead to data integrity issues, potential data loss, or the introduction of malicious content.

Because the attacker can overwrite files without proper authorization, this could compromise the reliability and trustworthiness of stored data.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability has been patched in FileRise version 3.10.0. The immediate step to mitigate this vulnerability is to upgrade FileRise to version 3.10.0 or later.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33330. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart