HIGHCVE-2026-28795CVSS 7.5

CVE-2026-28795: Path Traversal in openchatbi

Q: What is CVE-2026-28795 — Path Traversal in openchatbi?

CVE-2026-28795 is a Path Traversal vulnerability in openchatbi versions up to 0.2.1, allowing attackers to write files outside the intended report directory.

Q: Am I affected by CVE-2026-28795 in openchatbi?

You are affected if you are using openchatbi version 0.2.1 or earlier. Check your version and upgrade immediately.

Q: How do I fix CVE-2026-28795 in openchatbi?

Upgrade to openchatbi version 0.2.2 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.

Q: Is CVE-2026-28795 being actively exploited?

There are currently no known active exploits or campaigns targeting CVE-2026-28795, but the HIGH severity warrants prompt remediation.

Q: Where can I find the official openchatbi advisory for CVE-2026-28795?

Refer to the openchatbi project's official repository or website for the latest security advisories and release notes.

Platform

python

Component

openchatbi

Fixed in

0.2.3

0.2.2

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026

View on NVD

Save

CVE-2026-28795 describes a critical Path Traversal vulnerability within the save_report tool of openchatbi. This flaw allows attackers to manipulate file paths, potentially writing files to arbitrary locations on the system. The vulnerability affects versions of openchatbi up to and including 0.2.1, and a fix is available in version 0.2.2.

Impact and Attack Scenarios

The core issue lies in the insufficient sanitization of the fileformat parameter within the savereport.py script. While leading dots are stripped, malicious path traversal sequences like /../../ are not adequately handled. Consequently, when constructing the filename, these sequences are preserved, enabling attackers to bypass intended directory restrictions. An attacker could leverage this to overwrite critical system files, inject malicious code, or gain unauthorized access to sensitive data. The potential impact extends beyond simple file manipulation; successful exploitation could lead to complete system compromise.

Exploitation Context

This vulnerability was publicly disclosed on 2026-03-02. There are currently no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 7.5 (HIGH) indicates a significant risk, and it is recommended to prioritize remediation. No KEV listing at this time.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Reports1 threat report

EPSS

0.08% (23% percentile)

CISA SSVC

Exploitationpoc

Automatableyes

Technical Impactpartial

Affected Software

Componentopenchatbi

Vendorosv

Affected rangeFixed in

< 0.2.2 – < 0.2.20.2.3

—0.2.2

Weakness Classification (CWE)

CWE-22

Timeline

Reserved2026-03-03
Published2026-03-02
Modified2026-03-06
EPSS updated2026-03-23

Patched 0 days after disclosure

Mitigation and Workarounds

The primary mitigation is to upgrade to openchatbi version 0.2.2 or later, which includes the necessary input sanitization fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences in the file_format parameter. Additionally, restrict write access to the report directory to only the necessary user accounts. Regularly review and audit the application's file handling logic to identify and address potential vulnerabilities.

How to fix

Actualice OpenChatBI a la versión 0.2.2 o superior. Esta versión contiene la corrección para la vulnerabilidad de path traversal en la herramienta save_report. La actualización se puede realizar a través del gestor de paquetes utilizado para instalar OpenChatBI.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-28795 — Path Traversal in openchatbi?