PatchSiren cyber security CVE debrief

CVE-2026-44460 error311 CVE debrief

FileRise versions prior to 3.12.0 contain an authentication bypass vulnerability in the TOTP (Time-based One-Time Password) setup flow. The /api/totp_setup.php endpoint is accessible from sessions that have only completed password verification but have not yet passed TOTP verification (pending_login_user state). When invoked for an account with existing TOTP configuration, the endpoint decrypts and returns the user's current TOTP secret within a QR code PNG image rather than rejecting the request or generating a new secret. An attacker with knowledge of a victim's password can exploit this behavior to retrieve the live TOTP secret, generate a valid one-time code, submit it to /api/totp_verify.php, and obtain a fully authenticated session without physical access to the victim's authenticator device. This represents a multi-factor authentication bypass where possession of a single factor (password) enables compromise of the second factor (TOTP). The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), CWE-287 (Improper Authentication), and CWE-306 (Missing Authentication for Critical Function). The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N reflects network attack vector, high attack complexity due to the prerequisite password compromise, no required privileges or user interaction, and high impact to confidentiality and integrity with no availability impact.

Vendor: error311
Product: FileRise
CVSS: HIGH 7.4
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations operating FileRise instances with TOTP-enabled user accounts, particularly those with external-facing deployments. Security teams responsible for MFA implementation and session management in self-hosted web applications. Incident responders investigating potential authentication bypass events in FileRise environments.

Technical summary

The vulnerability exists in the state machine governing FileRise authentication sessions. The pending_login_user state, intended as an intermediate step between password verification and TOTP verification, incorrectly exposes functionality that should require fully authenticated status. The /api/totp_setup.php endpoint fails to validate that the requesting session has completed full MFA authentication before processing TOTP configuration requests. When processing requests for accounts with existing TOTP secrets, the endpoint's logic path retrieves and decrypts the stored secret for QR code generation rather than enforcing a secret regeneration workflow or access denial. This architectural flaw enables an attacker who has compromised a password to escalate to full session compromise by extracting the TOTP secret and independently generating valid time-based codes. The fix in version 3.12.0 presumably adds proper session state validation to the TOTP setup endpoint or modifies the secret handling logic to prevent disclosure of existing secrets.

Defensive priority

HIGH

Recommended defensive actions

Upgrade FileRise to version 3.12.0 or later to remediate this vulnerability.
Review authentication logs for suspicious /api/totp_setup.php access patterns from sessions in pending_login_user state, particularly where the requesting IP differs from typical user locations.
Audit user accounts for unexpected TOTP verification events that may indicate secret compromise and subsequent session establishment.
Implement network-level access controls or Web Application Firewall rules to restrict /api/totp_setup.php access to trusted source IP ranges where feasible.
Consider implementing additional session state validation to ensure TOTP setup endpoints require full authentication rather than partial password-only verification.
Monitor for anomalous authentication sequences where totp_setup.php is immediately followed by totp_verify.php with successful verification from new device fingerprints or locations.

Evidence notes

Vulnerability description and fix version derived from official CVE record and GitHub Security Advisory. CVSS vector and weakness classifications sourced from NVD reference data. Attack flow reconstructed from endpoint behavior described in advisory.

Official resources

2026-05-27