CVE-2026-28677
🟡 Monitoruj
W OpenSift przed wersją 1.6.3-alpha istniała podatność SSRF, umożliwiająca atakującym dostęp do wewnętrznych zasobów przez nieodpowiednie filtrowanie…
CVSS
8.2
EPSS
0.1%
Exploit
none
Vendor
opensift
Opis źródłowy (NVD)
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, the URL ingest pipeline accepted user-controlled remote URLs with incomplete destination restrictions. Although private/local host checks existed, missing restrictions for credentialed URLs, non-standard ports, and cross-host redirects left SSRF-class abuse paths in non-localhost deployments. This issue has been patched in version 1.6.3-alpha.
ssrf
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.2 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.1% |
| Opublikowano (NVD) | 2026-03-06 05:16:36 UTC |
| Ostatnia modyfikacja (NVD) | 2026-03-18 12:59:04 UTC |
Referencje
- https://github.com/OpenSift/OpenSift/commit/1126e0a503876056a68a434e19f64158a5a4840b (security-advisories@github.com) [Patch]
- https://github.com/OpenSift/OpenSift/commit/de99b9c (security-advisories@github.com) [Patch]
- https://github.com/OpenSift/OpenSift/pull/67 (security-advisories@github.com) [Issue Tracking, Patch]
- https://github.com/OpenSift/OpenSift/releases/tag/v1.6.3-alpha (security-advisories@github.com) [Release Notes]
- https://github.com/OpenSift/OpenSift/security/advisories/GHSA-5jfc-p787-2mf9 (security-advisories@github.com) [Vendor Advisory, Patch]