Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.2
OpenSift AI Tool Allows Access to Unauthorized Remote Data
CVE-2026-28677
Summary
OpenSift, a tool used to analyze large datasets, had a security issue that allowed users to access unauthorized data from other websites. This could happen if the tool was not installed on a local machine. The issue has been fixed in version 1.6.3-alpha, so make sure to update to this version or later to stay secure.
Original title
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs wi...
Original description
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with incomplete destination restrictions. Although private/local host checks existed, missing restrictions for credentialed URLs, non-standard ports, and cross-host redirects left SSRF-class abuse paths in non-localhost deployments. This issue has been patched in version 1.6.3-alpha.
nvd CVSS3.1
8.2
Vulnerability type
CWE-918
Server-Side Request Forgery (SSRF)
- https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4...
- https://github.com/OpenSift/OpenSift/commit/de99b9c
- https://github.com/OpenSift/OpenSift/pull/67
- https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha
- https://github.com/OpenSift/OpenSift/security/advisories/GHSA-5jfc-p787-2mf9
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026