Plataforma
python
Componente
opensift
Corrigido em
1.6.4
CVE-2026-28677 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenSift, an AI study tool. This flaw allows attackers to potentially access internal resources and data by manipulating URL ingest pipelines. The vulnerability affects versions of OpenSift up to and including 1.6.3-alpha, and has been resolved in version 1.6.3-alpha.
The SSRF vulnerability in OpenSift allows an attacker to craft malicious URLs that the application processes, effectively using the server to make requests to unintended destinations. In non-localhost deployments, this could lead to unauthorized access to internal services, databases, or cloud resources. An attacker could potentially exfiltrate sensitive data, perform reconnaissance on the internal network, or even trigger denial-of-service conditions by overwhelming internal services with requests. The lack of proper credentialed URL, non-standard port, and cross-host redirect restrictions significantly expands the potential attack surface.
CVE-2026-28677 was publicly disclosed on 2026-03-06. The vulnerability's severity is rated HIGH with a CVSS score of 8.2. There are currently no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is amplified in environments where OpenSift is deployed with access to sensitive internal resources.
Organizations utilizing OpenSift in production environments, particularly those with non-localhost deployments, are at risk. Environments where OpenSift processes data from untrusted sources are especially vulnerable. Shared hosting environments where OpenSift instances share network resources also face increased risk.
• linux / server: Examine OpenSift logs for unusual outbound requests to internal or unexpected external hosts. Use journalctl -u opensift to filter for HTTP requests originating from the OpenSift process.
journalctl -u opensift | grep -i "http:" | grep -v "localhost"• generic web: Monitor access logs for requests to the URL ingest endpoint with suspicious parameters. Look for URLs containing internal IP addresses or hostnames.
grep -i -E "(127.0.0.1|192.168.0.0/16|internal.example.com)" /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.05% (percentil 16%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-28677 is to upgrade OpenSift to version 1.6.3-alpha or later, which includes the necessary fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the OpenSift server to only necessary destinations. Employing a Web Application Firewall (WAF) with SSRF protection rules can also help block malicious requests. Thoroughly review and restrict the URL ingest pipeline configuration to enforce stricter destination limitations, specifically addressing credentialed URLs, non-standard ports, and cross-host redirects. After upgrading, confirm the fix by attempting to access internal resources via the vulnerable URL ingest pipeline and verifying that the requests are blocked.
Atualize OpenSift para a versão 1.6.3-alpha ou superior. Esta versão corrige as restrições insuficientes nas URLs de destino, prevenindo possíveis ataques SSRF.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-28677 is a Server-Side Request Forgery (SSRF) vulnerability in OpenSift versions up to 1.6.3-alpha, allowing attackers to make requests through the server to unintended destinations.
You are affected if you are using OpenSift versions 1.6.3-alpha or earlier. Upgrade to 1.6.3-alpha to resolve the vulnerability.
Upgrade OpenSift to version 1.6.3-alpha or later. As a temporary workaround, restrict outbound network access and implement WAF rules.
There are currently no reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Refer to the OpenSift project's official security advisories for the most up-to-date information and guidance: [https://www.openshift.com/security/advisories/](https://www.openshift.com/security/advisories/)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.