FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to 3.12.0, /api/totp_setup.php is callable from a …

FileRise, a self-hosted web-based file manager, has a critical vulnerability in versions prior to 3.12.0. The /api/totp_setup.php endpoint improperly handles TOTP configuration requests from sessions that have only passed password authentication. When a user account already has TOTP configured, the endpoint incorrectly decrypts and returns the existing TOTP secret within a QR PNG response. This allows attackers who possess a victim's password to extract the live TOTP secret, generate valid one-time codes, and bypass two-factor authentication to gain full session access without physical access to the victim's authenticator device. The vulnerability represents a complete bypass of multi-factor authentication protections and has been fixed in version 3.12.0.