Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
OpenSift: Malicious File Access Through Path Manipulation
CVE-2026-28676
Summary
OpenSift's prior to version 1.6.3-alpha had a weakness that allowed attackers to potentially access or modify files outside of their intended directory. This could have serious consequences, but it's been fixed in the latest update. To stay safe, make sure to use the patched version 1.6.3-alpha or later.
Original title
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that d...
Original description
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, multiple storage helpers used path construction patterns that did not uniformly enforce base-directory containment. This created path-injection risk in file read/write/delete flows if malicious path-like values were introduced. This issue has been patched in version 1.6.3-alpha.
nvd CVSS3.1
8.8
Vulnerability type
CWE-22
Path Traversal
- https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4...
- https://github.com/OpenSift/OpenSift/commit/de99b9c
- https://github.com/OpenSift/OpenSift/pull/67
- https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha
- https://github.com/OpenSift/OpenSift/security/advisories/GHSA-ww4m-c7hv-2rqv
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026