CVE-2026-28676

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did not uniformly enforce base-directory containment. This created path-injection risk in file read/write/delete flows if malicious path-like values were introduced. This issue has been patched in version 1.6.3-alpha.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b	Patch
https://github.com/OpenSift/OpenSift/commit/de99b9c	Patch
https://github.com/OpenSift/OpenSift/pull/67	Issue Tracking Patch
https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha	Release Notes
https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:opensift:opensift:*:*:*:*:*:python:*:*

History

18 Mar 2026, 13:02

Type	Values Removed	Values Added
CPE		cpe:2.3:a:opensift:opensift::::::python::*
References	~~() https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b -~~	() https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b - Patch
References	~~() https://github.com/OpenSift/OpenSift/commit/de99b9c -~~	() https://github.com/OpenSift/OpenSift/commit/de99b9c - Patch
References	~~() https://github.com/OpenSift/OpenSift/pull/67 -~~	() https://github.com/OpenSift/OpenSift/pull/67 - Issue Tracking, Patch
References	~~() https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha -~~	() https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha - Release Notes
References	~~() https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv -~~	() https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv - Vendor Advisory, Patch
First Time		Opensift Opensift opensift

09 Mar 2026, 13:36

Type	Values Removed	Values Added
Summary		(es) OpenSift es una herramienta de estudio de IA que tamiza grandes conjuntos de datos utilizando búsqueda semántica e IA generativa. Antes de la versión 1.6.3-alpha, múltiples asistentes de almacenamiento utilizaban patrones de construcción de rutas que no aplicaban uniformemente la contención del directorio base. Esto creaba riesgo de inyección de rutas en los flujos de lectura/escritura/eliminación de archivos si se introducían valores maliciosos similares a rutas. Este problema ha sido parcheado en la versión 1.6.3-alpha.

06 Mar 2026, 05:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-06 05:16

Updated : 2026-03-18 13:02

NVD link : CVE-2026-28676

Mitre link : CVE-2026-28676

CVE.ORG link : CVE-2026-28676

JSON object : View

Products Affected

opensift

opensift

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

8.8 /10