Platform
python
Component
opensift
Fixed in
1.1.4
CVE-2026-27170 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenSift, an AI study tool. This vulnerability allows attackers to potentially access and probe private or local network resources from the OpenSift host process by crafting malicious URLs. The vulnerability affects versions 1.1.2-alpha and earlier, and has been resolved in version 1.1.3-alpha.
The SSRF vulnerability in OpenSift allows an attacker to craft malicious URLs that, when ingested by the application, trigger requests to unintended targets. This can lead to the exposure of sensitive information residing on internal networks, such as configuration files, database credentials, or even access to internal services. An attacker could potentially map the internal network topology by probing different ports and services. The blast radius extends to any resources accessible from the OpenSift host, potentially including cloud metadata services or other internal APIs. While no direct data exfiltration is guaranteed, the ability to probe internal resources represents a significant security risk.
This vulnerability was publicly disclosed on 2026-02-20. No known public proof-of-concept exploits are currently available, but the SSRF nature of the vulnerability makes it relatively easy to test and potentially exploit. The EPSS score is likely to be medium, reflecting the ease of exploitation and potential impact. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-27170 is to upgrade OpenSift to version 1.1.3-alpha or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, a temporary workaround involves setting the environment variable OPENSIFTALLOWPRIVATE_URLS=true. However, this should be done with extreme caution, as it relaxes the security restrictions and could potentially expose the system to further risks. Monitor OpenSift logs for unusual outbound requests and implement network segmentation to limit the potential impact of a successful SSRF attack. After upgrading, confirm the fix by attempting to ingest a known malicious URL and verifying that the request is blocked.
Update OpenSift to version 1.1.3-alpha or higher. If you cannot update immediately, use the OPENSIFT_ALLOW_PRIVATE_URLS=true option with caution and only if you trust local exceptions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-27170 is a Server-Side Request Forgery (SSRF) vulnerability in OpenSift versions 1.1.2-alpha and earlier, allowing attackers to probe internal network resources via malicious URLs.
You are affected if you are using OpenSift versions 1.1.2-alpha or earlier. Upgrade to 1.1.3-alpha to resolve the vulnerability.
Upgrade OpenSift to version 1.1.3-alpha. As a temporary workaround, set OPENSIFTALLOWPRIVATE_URLS=true with caution.
While no active exploitation has been confirmed, the SSRF nature of the vulnerability makes it a potential target for attackers.
Refer to the OpenSift project's official security advisories for the latest information and updates regarding CVE-2026-27170.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.