CVE-2026-27170

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. In versions 1.1.2-alpha and below, URL ingest allows overly permissive server-side fetch behavior and can be coerced into requesting unsafe targets. Potential access/probing of private/local network resources from the OpenSift host process when ingesting attacker-controlled URLs. This issue has been fixed in version 1.1.3-alpha. To workaround when using trusted local-only exceptions, use OPENSIFT_ALLOW_PRIVATE_URLS=true with caution.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha	Product Release Notes
https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3w2r-hj5p-h6pp	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:opensift:opensift:*:*:*:*:*:python:*:*

History

23 Feb 2026, 20:50

Type	Values Removed	Values Added
References	~~() https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha -~~	() https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha - Product, Release Notes
References	~~() https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3w2r-hj5p-h6pp -~~	() https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3w2r-hj5p-h6pp - Vendor Advisory
First Time		Opensift Opensift opensift
CPE		cpe:2.3:a:opensift:opensift::::::python::*

21 Feb 2026, 00:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-21 00:16

Updated : 2026-02-23 20:50

NVD link : CVE-2026-27170

Mitre link : CVE-2026-27170

CVE.ORG link : CVE-2026-27170

JSON object : View

Products Affected

opensift

opensift

CWE

CWE-20

Improper Input Validation

CWE-918

Server-Side Request Forgery (SSRF)

7.1 /10