How is CVE-2026-44460 exploited?

Network reachability (required): The vulnerable endpoints are exposed over the network, so the attacker must be able to reach the FileRise instance via HTTP/HTTPS from a remote location. Authentication (not-required): No account privileges are required beyond knowing the victim's password, which is a precondition described by the vulnerability itself rather than a privilege grant by the system. Victim interaction (not-required): The attacker interacts directly with the server-side API endpoints and does not need the victim to click a link or take any action. Attack complexity (info): Attack complexity is high, meaning exploitation depends on environmental factors such as the attacker already possessing the victim's password before attempting the TOTP secret retrieval.

What is the impact of CVE-2026-44460?

The attacker reads the victim's live TOTP secret from the decrypted QR code payload, gaining permanent knowledge of that secret until it is rotated. The attacker derives valid one-time codes from the recovered secret and submits them to the verification endpoint to obtain a fully authenticated session. With a fully authenticated session, the attacker gains access to all files, uploads, edits, and batch operations available to the victim's account on the FileRise instance. Confidentiality and integrity of stored files are both compromised; the attacker can read, overwrite, or delete files within the scope of the victim account's permissions.

Back to search

HIGHCVE-2026-44460Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-44460: FileRise: TOTP Bypass via Setup Endpoint Disclosing Existing Secret

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a session that has only passed the password check (state pending_login_user). When the target account already has TOTP configured, the endpoint decrypts and returns the user's existing TOTP secret inside the QR PNG instead of refusing or generating a new secret. An attacker who already possesses the victim's password can therefore retrieve the live TOTP secret, derive a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without ever possessing the victim's authenticator device. This vulnerability is fixed in 3.12.0.

HarborGuard Analysis

HarborGuard analysis

Synopsis

This is an authentication bypass vulnerability in FileRise, a self-hosted web-based file manager. An attacker who already knows the victim's password can call the TOTP setup endpoint (/api/totp_setup.php) from a partially authenticated session and receive the victim's existing, live TOTP secret embedded in a QR code image, without needing the victim's authenticator device. Using that secret, the attacker derives a valid one-time code, submits it to the verification endpoint, and gains a fully authenticated session, completely bypassing multi-factor authentication. The vulnerability requires network access and no privileges beyond the victim's password, and is reachable over the internet. No patched version of FileRise has been published yet; HarborGuard tracks this advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-44460 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from FileRise base layers or bundling FileRise as a dependency.

Available

Triage

HarborGuard scores this finding at CVSS 7.4 (HIGH) using the published v3.1 vector and is capable of weighting that score against each environment's compliance policy to route the alert to the appropriate team inbox within each customer organization.

Available

Patch

Because no upstream fix version has been published for FileRise, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoints are exposed over the network, so the attacker must be able to reach the FileRise instance via HTTP/HTTPS from a remote location.
AuthenticationNot required
No account privileges are required beyond knowing the victim's password, which is a precondition described by the vulnerability itself rather than a privilege grant by the system.
Victim interactionNot required
The attacker interacts directly with the server-side API endpoints and does not need the victim to click a link or take any action.
Attack complexityDetail
Attack complexity is high, meaning exploitation depends on environmental factors such as the attacker already possessing the victim's password before attempting the TOTP secret retrieval.

Blast Radius

The attacker reads the victim's live TOTP secret from the decrypted QR code payload, gaining permanent knowledge of that secret until it is rotated.
The attacker derives valid one-time codes from the recovered secret and submits them to the verification endpoint to obtain a fully authenticated session.
With a fully authenticated session, the attacker gains access to all files, uploads, edits, and batch operations available to the victim's account on the FileRise instance.
Confidentiality and integrity of stored files are both compromised; the attacker can read, overwrite, or delete files within the scope of the victim account's permissions.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-44460 exists yet, HarborGuard continuously monitors the advisory and re-evaluates affected images on every ingest cycle. The moment FileRise publishes a patched release, a rebuilt image at that version becomes available, and for customers who opt into auto-remediation, a rebuild, regression-test run, and PR opened against affected workloads will follow automatically. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the FileRise instance to trusted source IPs only, placing the service behind an authenticating reverse proxy that blocks unauthenticated requests to /api/totp_setup.php, and monitoring access logs for requests to that endpoint from sessions in the pending_login_user state. HarborGuard will surface a patch-available alert as soon as the upstream advisory is updated with a fix version.

See how HarborGuard automates this

CVSS v3.1: 7.4
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

error311 / FileRise
< 3.12.0

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

References

https://github.com/error311/FileRise/security/advisories/GHSA-84hw-8g73-v3f8