CVE-2026-54414: FileRise shared-folder upload path traversal allows arbitrary file write and admin takeover
FileRise before 3.16.0 is vulnerable to path traversal in the shared-folder upload endpoint (/api/folder/uploadToSharedFolder.php), leading to arbitrary file write and administrator account takeover. The upload filename is validated by FolderController with basename() and REGEX_FILE_NAME, which permit URL-encoded sequences (the regex blocks / and \ but not %). The raw filename is then passed to UploadModel::handleUpload, where it is reconstructed as trim(urldecode(basename($fileName))), re-introducing path separators after validation (e.g. ..%2fusers%2fusers.txt becomes ../users/users.txt). UploadNamePolicy::isAllowedForWrite() applies basename() internally and therefore only evaluates the final component (users.txt), allowing the traversal sequence to pass the extension policy. The destination path is then used directly in move_uploaded_file() with no realpath containment check, allowing a write outside the intended upload directory. An attacker who possesses a valid, non-expired, upload-enabled shared-folder link/token (which are designed to be shared publicly) can overwrite users/users.txt to create an administrator account, resulting in unauthenticated admin takeover and, depending on configuration, remote code execution. Exploitation requires possession of a valid, non-expired, upload-enabled shared-folder link/token. This issue is fixed in 3.16.0, which URL-decodes before validation and rejects any path separators in the upload filename.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- 3.16.0
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A path traversal vulnerability in FileRise's shared-folder upload endpoint allows an attacker to write arbitrary files outside the intended upload directory. The flaw is reachable over the network without authentication, provided the attacker holds a valid shared-folder upload link (which are designed to be distributed publicly). Successful exploitation overwrites the user database to create an administrator account, enabling full admin takeover and, depending on server configuration, remote code execution. A patched-image rebuild at version 3.16.0 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-54414 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle FileRise. Any image with a FileRise installation below 3.16.0 is flagged automatically.
AvailableHarborGuard scores this CVE at 9.3 CRITICAL (CVSS v4.0) and weights that score against each customer environment's compliance policy to determine urgency and routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableA patched-image rebuild at FileRise 3.16.0 becomes available through HarborGuard for any environment where an affected image is detected. For customers with auto-remediation enabled, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The vulnerable upload endpoint is exposed over the network; an attacker must be able to send HTTP requests to the FileRise service.
- AuthenticationNot required
No account credentials are required; a valid shared-folder upload link or token, which are designed to be shared publicly, is sufficient to reach and exploit the endpoint.
- Victim interactionNot required
Exploitation is fully attacker-driven with no need for any user on the target system to take an action.
- Attack complexityDetail
The exploit is reliable and condition-free once a valid shared-folder upload token is in hand; no race conditions or special environmental factors are required.
Blast Radius
- Attacker overwrites the users/users.txt file to inject a new administrator account, achieving full admin-level control of the FileRise instance.
- With admin access, the attacker can read all files stored in FileRise, including files uploaded by other users or shared via private links.
- Depending on server configuration, the arbitrary file write primitive can be used to place a web shell or other executable payload, resulting in remote code execution on the host.
- All data managed by the FileRise instance, including stored files, user credentials, and sharing configurations, is subject to exfiltration or modification.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-54414 fires within minutes of image scan against any image bundling FileRise below 3.16.0. Given the CRITICAL severity and zero-interaction exploit path, this CVE is prioritized at the top of the triage queue under default compliance policy settings. For customers with auto-remediation enabled, HarborGuard triggers a rebuild at FileRise 3.16.0, runs regression tests, and opens a patch PR against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. For environments where auto-remediation requires manual approval, HarborGuard surfaces the rebuild as a one-click action in the remediation dashboard. Because the attack requires only a publicly shareable upload token, any internet-facing FileRise deployment should treat this as urgent; network-policy controls that restrict inbound access to the upload endpoint can reduce exposure while a patched image is staged.
- error311 / FileRise< 3.16.0 (from 0)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N