Home / Vulnerability Intelligence / CVE-2026-33072

CVE-2026-33072 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: March 23, 2026

FileRise - Authentication Bypass

Published: March 20, 2026Updated: March 23, 2026PoC AvailableRemote Exploitable

Overview

FileRise < 3.9.0 contains a broken authentication caused by a hardcoded default encryption key used for all cryptographic operations, letting unauthenticated attackers forge upload tokens and decrypt admin secrets, exploit requires default key usage.

Severity & Score

Severity: High

CVSS Score: 8.2

EPSS Score: 0.9%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can upload arbitrary files and decrypt sensitive admin secrets, leading to full system compromise.

Mitigation

Update to version 3.9.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 20, 2026

🟠 CVE-2026-33072 - High (8.2) FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.9.0, a hardcoded default encryption key (default_please_change_this_key) is used for all cryptographic operations — HMAC token generation, AES config encryption, ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33072/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33072
Severity: High
CVSS Score: 8.2
Type: broken_authentication
Status: confirmed
EPSS: 0.9%
Social Posts: 1

CWE

CWE-798

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score

0.9%Probability of exploitation in the next 30 days