CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

Critical Path Traversal in FileRise Leads to Full Admin Compromise

FileRise, a self-hosted file management and sharing platform, is affected by a critical path traversal vulnerability tracked as CVE-2026-54414, published to the National Vulnerability Database (NVD) on June 19, 2026. The flaw carries a CVSS score of 9.8 (Critical) and affects all versions prior to 3.16.0.

The vulnerability resides in the shared-folder upload endpoint at /api/folder/uploadToSharedFolder.php. Despite validation logic using PHP's basename() function combined with a REGEX_FILE_NAME pattern in the FolderController, attackers can craft malicious filenames that bypass these controls and traverse directory boundaries — enabling arbitrary file writes anywhere on the underlying filesystem accessible to the web server process.

Vulnerability Details

How the Vulnerability Works

Bypassing basename() Validation

PHP's basename() is commonly used to strip directory components from a filename, leaving only the final segment. However, this function has well-documented edge cases on both Linux and Windows systems involving null bytes, special path separators, and Unicode normalization that can allow the sanitized value to still contain directory traversal sequences when combined with string concatenation or platform-specific file APIs.

REGEX_FILE_NAME Bypass

The REGEX_FILE_NAME pattern applied in FolderController represents an attempt to restrict filenames to safe character sets. However, overly permissive regex patterns — particularly those that do not anchor at both start and end of the string or that fail to account for URL-encoded characters — can be bypassed by submitting carefully crafted inputs that satisfy the regex match while still containing traversal elements after PHP processes the string.

File Write to Arbitrary Locations

Once the path validation is bypassed, the application writes the attacker-controlled content to a location outside the intended shared folder. Common exploitation paths include:

• Writing a PHP web shell to a web-accessible directory (/var/www/html/, the application root, or a plugin directory)
• Overwriting configuration files such as config.php to modify database credentials or authentication settings
• Writing SSH authorized_keys if the web server user has write access to home directories

Administrator Account Takeover

The advisory explicitly identifies administrator account takeover as a direct exploitation outcome. This is likely achieved by overwriting application configuration files that control authentication — for example, overwriting a user credentials file or configuration that stores admin password hashes, enabling the attacker to replace them with a known value.

POST /api/folder/uploadToSharedFolder.php HTTP/1.1
Host: target.filerise.local
Content-Type: multipart/form-data; boundary=----Boundary
 
------Boundary
Content-Disposition: form-data; name="file"; filename="../../webroot/shell.php"
Content-Type: application/octet-stream
 
<?php system($_GET['cmd']); ?>
------Boundary--

Impact Assessment

Recommendations

Immediate Actions

1. Upgrade to FileRise 3.16.0 or later — the fix is available now; this should be treated as an emergency patch given the unauthenticated, critical-severity nature of the flaw
2. Restrict access to the upload endpoint — if immediate patching is not possible, use firewall rules or web server ACLs to restrict access to /api/folder/uploadToSharedFolder.php to trusted IP ranges only
3. Audit recently uploaded files — review file system changes in the document root and application directories for unexpected PHP files or modified configuration files

Detection Guidance

• Web server logs: Look for POST requests to /api/folder/uploadToSharedFolder.php with filenames containing ../, ..%2F, ..%5C, null bytes, or other traversal patterns
• File system monitoring: Alert on new .php files written outside expected upload directories
• Integrity checks: Compare application files against a known-good baseline to detect configuration tampering

Configuration Hardening

• Run the web server process under a dedicated, least-privilege user account with write access restricted to only the upload directory
• Enforce open_basedir in php.ini to restrict PHP's file access to a defined directory tree
• Consider deploying a web application firewall (WAF) rule to block traversal patterns in file upload filenames as a defense-in-depth measure

Key Takeaways

1. CVE-2026-54414 is a CVSS 9.8 critical flaw — unauthenticated path traversal enabling arbitrary file write and admin account takeover in FileRise before 3.16.0
2. basename() is not a sufficient path sanitization control — its behavior varies across platforms and PHP versions and can be bypassed in combination with other operations
3. The shared-folder upload endpoint lacked robust directory confinement — file writes were not restricted to the intended upload directory by absolute path enforcement
4. Patch to 3.16.0 immediately — there is no viable workaround that fully mitigates the risk other than the vendor-provided fix
5. Web-facing file management platforms are high-value targets — they inherently combine file write capability with broad filesystem access, making path traversal flaws particularly dangerous in this class of software

Sources

• CVE-2026-54414 — NVD