Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Uploaded documents are publicly accessible in Initiative project management platform
CVE-2026-28276
Summary
Versions of Initiative project management platform prior to 0.32.2 allow anyone to view uploaded documents without a login. This means sensitive documents are at risk of being seen by unauthorized users. Update to version 0.32.2 or higher to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| morelitea | initiative | <= 0.32.2 | – |
Original title
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible...
Original description
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.
nvd CVSS3.1
7.5
Vulnerability type
CWE-200
Information Exposure
CWE-284
Improper Access Control
CWE-862
Missing Authorization
- https://github.com/Morelitea/initiative/releases/tag/v0.32.2 Product Release Notes
- https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq Vendor Advisory
Published: 26 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026