CVE-2026-28276
Last modified
CVE-2026-28276 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Morelitea | Initiative | < 0.32.2 |
References
- https://github.com/Morelitea/initiative/releases/tag/v0.32.2Product, Release Notes
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-28276?
How severe is CVE-2026-28276?
How do I fix CVE-2026-28276?
Are you affected by CVE-2026-28276?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST