1.6.4
CVE-2026-28677 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in OpenSift, an AI study tool. This flaw allows attackers to potentially access internal resources and data by manipulating URL ingest pipelines. The vulnerability affects versions of OpenSift up to and including 1.6.3-alpha, and has been resolved in version 1.6.3-alpha.
The SSRF vulnerability in OpenSift allows an attacker to craft malicious URLs that the application processes, effectively using the server to make requests to unintended destinations. In non-localhost deployments, this could lead to unauthorized access to internal services, databases, or cloud resources. An attacker could potentially exfiltrate sensitive data, perform reconnaissance on the internal network, or even trigger denial-of-service conditions by overwhelming internal services with requests. The lack of proper credentialed URL, non-standard port, and cross-host redirect restrictions significantly expands the potential attack surface.
CVE-2026-28677 was publicly disclosed on 2026-03-06. The vulnerability's severity is rated HIGH with a CVSS score of 8.2. There are currently no publicly available proof-of-concept exploits. It is not listed on the CISA KEV catalog at the time of writing. The vulnerability's impact is amplified in environments where OpenSift is deployed with access to sensitive internal resources.
Organizations utilizing OpenSift in production environments, particularly those with non-localhost deployments, are at risk. Environments where OpenSift processes data from untrusted sources are especially vulnerable. Shared hosting environments where OpenSift instances share network resources also face increased risk.
• linux / server: Examine OpenSift logs for unusual outbound requests to internal or unexpected external hosts. Use journalctl -u opensift to filter for HTTP requests originating from the OpenSift process.
journalctl -u opensift | grep -i "http:" | grep -v "localhost"• generic web: Monitor access logs for requests to the URL ingest endpoint with suspicious parameters. Look for URLs containing internal IP addresses or hostnames.
grep -i -E "(127.0.0.1|192.168.0.0/16|internal.example.com)" /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-28677 is to upgrade OpenSift to version 1.6.3-alpha or later, which includes the necessary fixes. If upgrading immediately is not feasible, consider implementing temporary workarounds such as restricting outbound network access from the OpenSift server to only necessary destinations. Employing a Web Application Firewall (WAF) with SSRF protection rules can also help block malicious requests. Thoroughly review and restrict the URL ingest pipeline configuration to enforce stricter destination limitations, specifically addressing credentialed URLs, non-standard ports, and cross-host redirects. After upgrading, confirm the fix by attempting to access internal resources via the vulnerable URL ingest pipeline and verifying that the requests are blocked.
将 OpenSift 更新到 1.6.3-alpha 或更高版本。此版本修复了 URL 目标限制不足的问题,从而防止了潜在的 SSRF 攻击。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-28677 is a Server-Side Request Forgery (SSRF) vulnerability in OpenSift versions up to 1.6.3-alpha, allowing attackers to make requests through the server to unintended destinations.
You are affected if you are using OpenSift versions 1.6.3-alpha or earlier. Upgrade to 1.6.3-alpha to resolve the vulnerability.
Upgrade OpenSift to version 1.6.3-alpha or later. As a temporary workaround, restrict outbound network access and implement WAF rules.
There are currently no reports of active exploitation, but the vulnerability's severity warrants immediate attention and mitigation.
Refer to the OpenSift project's official security advisories for the most up-to-date information and guidance: [https://www.openshift.com/security/advisories/](https://www.openshift.com/security/advisories/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 requirements.txt 文件,立即知道是否受影响。