Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenSift allows accessing private networks via malicious URLs
CVE-2026-27170
Summary
A bug in OpenSift versions 1.1.2-alpha and earlier lets attackers access private networks from the OpenSift server. This can happen if the server is configured to ingest URLs from untrusted sources. To fix this, update to version 1.1.3-alpha or add a special setting to allow trusted local URLs with caution.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| opensift | opensift | <= 1.1.3 | – |
Original title
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. In versions 1.1.2-alpha and below, URL ingest allows overly permissive server-side fetch beha...
Original description
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. In versions 1.1.2-alpha and below, URL ingest allows overly permissive server-side fetch behavior and can be coerced into requesting unsafe targets. Potential access/probing of private/local network resources from the OpenSift host process when ingesting attacker-controlled URLs. This issue has been fixed in version 1.1.3-alpha. To workaround when using trusted local-only exceptions, use OPENSIFT_ALLOW_PRIVATE_URLS=true with caution.
nvd CVSS3.1
7.1
Vulnerability type
CWE-20
Improper Input Validation
CWE-918
Server-Side Request Forgery (SSRF)
- https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha Product Release Notes
- https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3w2r-hj5p-h6pp Vendor Advisory
Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026