Plattform
python
Komponente
openchatbi
Behoben in
0.2.3
0.2.2
CVE-2026-28795 describes a critical Path Traversal vulnerability within the save_report tool of openchatbi. This flaw allows attackers to manipulate file paths, potentially writing files to arbitrary locations on the system. The vulnerability affects versions of openchatbi up to and including 0.2.1, and a fix is available in version 0.2.2.
The vulnerability lies within the savereport tool, specifically in how it handles the fileformat parameter. Insufficient sanitization allows attackers to craft malicious filenames containing path traversal sequences like /../../. When the filename is constructed, these sequences are preserved, enabling attackers to write files to arbitrary locations on the server's file system. This could allow for overwriting critical system files, injecting malicious code, or exfiltrating sensitive data. The potential impact is significant, as an attacker could gain complete control over the server's file system.
This vulnerability was publicly disclosed on 2026-03-02. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.5 (HIGH) indicates a significant risk. It is recommended to prioritize remediation efforts.
Organizations deploying openchatbi, particularly those using older versions (≤0.2.1) or those with insufficient file access controls, are at significant risk. Shared hosting environments where multiple users have write access to the same directory are especially vulnerable.
• python / file system:
import os
import glob
report_dir = '/path/to/openchatbi/reports'
pattern = os.path.join(report_dir, '*.*')
# Check for unexpected files outside the report directory
for file in glob.glob(pattern):
if not file.startswith(report_dir): # Basic check - refine as needed
print(f"Potential path traversal: {file}")• generic web:
curl 'http://your-openchatbi-instance/tool/save_report?file_format=../../../../etc/passwd' -s | grep 'etc/passwd'disclosure
Exploit-Status
EPSS
0.08% (23% Perzentil)
CISA SSVC
The primary mitigation is to upgrade to openchatbi version 0.2.2 or later, which includes the necessary input sanitization fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing path traversal sequences in the file_format parameter. Additionally, restrict write access to the report directory to only the necessary user accounts and processes. Regularly review file system permissions and audit logs for any suspicious activity.
Actualice OpenChatBI a la versión 0.2.2 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal en la herramienta save_report. La actualización se puede realizar a través del gestor de paquetes utilizado para instalar OpenChatBI.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-28795 is a Path Traversal vulnerability in openchatbi versions up to 0.2.1, allowing attackers to write files outside the intended report directory.
You are affected if you are using openchatbi version 0.2.1 or earlier. Check your version and upgrade immediately.
Upgrade to openchatbi version 0.2.2 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
There are currently no known active exploits or campaigns targeting CVE-2026-28795, but the HIGH severity warrants prompt remediation.
Refer to the openchatbi project's official repository or website for the latest security advisories and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.