Platform
python
Component
opensift
Fixed in
1.6.4
CVE-2026-28677 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenSift, an AI study tool. This flaw allows attackers to potentially access internal resources and data by manipulating URL ingest pipelines. The vulnerability affects versions of OpenSift up to and including 1.6.3-alpha, and has been resolved in version 1.6.3-alpha.
The SSRF vulnerability in OpenSift allows an attacker to craft malicious URLs that the application processes, effectively using the server to make requests to unintended destinations. In non-localhost deployments, this could lead to unauthorized access to internal services, databases, or cloud resources. An attacker could potentially exfiltrate sensitive data, perform reconnaissance on the internal network, or even trigger denial-of-service conditions by overwhelming internal services with requests. The lack of proper credentialed URL, non-standard port, and cross-host redirect restrictions significantly expands the potential attack surface.
CVE-2026-28677 was publicly disclosed on 2026-03-06. The vulnerability's severity is rated HIGH with a CVSS score of 8.2. There are currently no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is amplified in environments where OpenSift is deployed with access to sensitive internal resources.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-28677 is to upgrade OpenSift to version 1.6.3-alpha or later, which includes the necessary fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the OpenSift server to only necessary destinations. Employing a Web Application Firewall (WAF) with SSRF protection rules can also help block malicious requests. Thoroughly review and restrict the URL ingest pipeline configuration to enforce stricter destination limitations, specifically addressing credentialed URLs, non-standard ports, and cross-host redirects. After upgrading, confirm the fix by attempting to access internal resources via the vulnerable URL ingest pipeline and verifying that the requests are blocked.
Update OpenSift to version 1.6.3-alpha or higher. This version corrects the insufficient URL destination restrictions, preventing potential SSRF attacks.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28677 is a Server-Side Request Forgery (SSRF) vulnerability in OpenSift versions up to 1.6.3-alpha, allowing attackers to make requests through the server to unintended destinations.
You are affected if you are using OpenSift versions 1.6.3-alpha or earlier. Upgrade to 1.6.3-alpha to resolve the vulnerability.
Upgrade OpenSift to version 1.6.3-alpha or later. As a temporary workaround, restrict outbound network access and implement WAF rules.
There are currently no reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Refer to the OpenSift project's official security advisories for the most up-to-date information and guidance: [https://www.openshift.com/security/advisories/](https://www.openshift.com/security/advisories/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.