Platform
python
Component
opensift
Fixed in
1.6.4
CVE-2026-28676 describes a Path Traversal vulnerability discovered in OpenSift, an AI study tool. This flaw allows attackers to potentially read, write, or delete files due to insufficient base-directory containment in storage helper functions. The vulnerability affects versions of OpenSift prior to 1.6.3-alpha, and a patch is available in that version.
The core of this vulnerability lies in the way OpenSift constructs file paths within its storage helpers. By injecting malicious path-like characters (e.g., '..', absolute paths), an attacker could bypass intended directory restrictions. This could lead to unauthorized access to sensitive files, modification of critical system configurations, or even deletion of important data. The potential blast radius extends to any data stored and managed by OpenSift, depending on the attacker's privileges and the application's architecture. While no direct precedent is immediately apparent, path traversal vulnerabilities are frequently exploited to gain broader system access, similar to how attackers leverage directory traversal flaws in web servers.
CVE-2026-28676 was publicly disclosed on 2026-03-06. There is no indication of it being added to the CISA KEV catalog or any public proof-of-concept exploits currently available. The EPSS score is likely to be low to medium, given the lack of public exploitation and the requirement for specific knowledge of OpenSift's internal workings.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28676 is to upgrade OpenSift to version 1.6.3-alpha or later, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing stricter input validation on all file paths used by OpenSift's storage helpers. This should involve sanitizing user-provided input and enforcing strict base-directory containment. Additionally, review file access permissions to ensure that OpenSift processes only have access to the files they absolutely need. After upgrading, confirm the fix by attempting to access files outside of the intended storage directories using crafted path injection attempts.
Update OpenSift to version 1.6.3-alpha or higher. This version contains a fix for the path traversal vulnerability. The update can be performed through the package manager used to install OpenSift.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28676 is a Path Traversal vulnerability affecting OpenSift versions prior to 1.6.3-alpha. It allows attackers to potentially read, write, or delete files by injecting malicious path-like characters.
You are affected if you are using OpenSift versions less than or equal to 1.6.3-alpha. Verify your version and upgrade if necessary.
Upgrade OpenSift to version 1.6.3-alpha or later. Implement stricter input validation on file paths as a temporary workaround if upgrading is not immediately possible.
There is currently no public evidence of CVE-2026-28676 being actively exploited, but vigilance is still advised.
Refer to the OpenSift security advisories and release notes for detailed information and updates regarding CVE-2026-28676.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.