External risk intelligence

FileRise Path Traversal to Admin Account Takeover

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-54414

The vulnerability exists in an API endpoint designed for file uploads within a shared-folder feature. These endpoints are commonly exposed as part of internet-facing web applications or file-sharing services intended for external access via shared links or tokens.

Path Traversal

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in FileRise's file upload functionality allows unauthenticated attackers with a shared link to gain administrator access, potentially leading to system compromise. This issue arises from improper handling of file paths during uploads, enabling attackers to write files to arbitrary locations.

  • File uploads can be hijacked to take over accounts.
  • Consider the exposure of shared file upload features.
  • Confirm if shared file upload is a relevant service.

Attack Path

How an attacker could exploit the issue

An attacker with a valid, non-expired, upload-enabled shared-folder link or token can exploit a path traversal vulnerability in FileRise to write arbitrary files. This could lead to administrator account takeover and potentially remote code execution, as the filename validation does not adequately prevent traversal sequences when URL-encoded, and the destination path is not properly checked before a file is moved.

  • Requires a shared upload link or token.
  • Triggers with a specially crafted, URL-encoded filename.
  • Results in account takeover and code execution.

Live Threat

Current exploitation, exposure, and threat context

FileRise before version 3.16.0 suffers from a path traversal vulnerability in its shared-folder upload endpoint. This vulnerability could allow an attacker with a valid, non-expired upload-enabled shared-folder link or token to overwrite critical files, such as `users/users.txt`, to create an administrator account. This could lead to an unauthenticated administrator takeover of the system and, depending on the configuration, potentially remote code execution. The vulnerability is exploitable when an attacker possesses a valid shared-folder link/token with upload permissions.

  • Sensitive user and configuration files.
  • Path traversal via crafted filenames.
  • Account takeover and potential RCE.

Operational Fix

Recommended remediation, mitigation, and detection steps

The FileRise shared-folder upload endpoint is vulnerable to path traversal, enabling arbitrary file writes and administrator account takeover by attackers who possess a valid upload-enabled shared-folder link. The initial action is to identify all instances of FileRise, confirm their exposure and criticality, and identify the accountable owner for remediation planning.

  • Identify FileRise instances and exposure.
  • Verify shared folder link access and permissions.
  • Plan remediation with vendor coordination.

Supplementary metadata

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is FileRise?

FileRise is a software platform designed to manage file sharing and collaboration. It includes features for users to host shared folders, allowing others to upload files through specific web-based endpoints. These shared-folder capabilities are often used by organizations to facilitate external document exchange, acting as a portal for authorized individuals to send or receive data directly within the FileRise environment.

What does path traversal mean in CVE-2026-54414?

Path traversal, or CWE-22, is a weakness where software does not properly filter special characters in a file path. In CVE-2026-54414, the application's filename validation could be bypassed using URL-encoded sequences. Because the system reconstructed the filename after checking it, it allowed attackers to use '..' sequences to escape the intended upload directory, effectively tricking the software into writing files to unauthorized locations.

How does an attacker trigger this vulnerability?

An attacker needs a valid, non-expired, upload-enabled shared-folder link or token to access the vulnerable API endpoint. The attack involves crafting a filename containing URL-encoded path separators, such as '%2f', which the system fails to block before processing. Simply having the software installed is not enough; the attacker must be able to interact with an active, functional file-upload link to submit the malicious filename.

Is my FileRise instance at risk?

According to Halo Surface Signal, this vulnerability is most relevant to instances that expose shared-folder upload endpoints to the internet. If your FileRise installation uses these features for external file sharing, it is a primary point of concern. You should assess whether your shared-folder links are accessible by unauthorized external parties, as this is the specific vector that allows an attacker to interact with the vulnerable upload code.

How do I secure my environment against this issue?

The primary response is to upgrade to FileRise version 3.16.0 or later. This version updates how filenames are processed by URL-decoding them before validation, ensuring that path traversal sequences are correctly identified and rejected. If you cannot update immediately, identify all active, upload-enabled shared-folder links and restrict their availability to prevent unauthorized access until the update is applied.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished