Skip to main content

Initiative CVE-2026-28276

HIGH
Information Exposure (CWE-200)
2026-02-26 security-advisories@github.com
Authentication Bypass Information Disclosure Initiative
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 21:56 vuln.today
CVE Published
Feb 26, 2026 - 23:16 nvd
HIGH 7.5

DescriptionGitHub Advisory

Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.

AnalysisAI

Unauthenticated access to uploaded files in Initiative project management platform prior to version 0.32.2 allows remote attackers to retrieve sensitive documents by directly accessing the unprotected /uploads/ directory. The vulnerability stems from missing authentication and authorization controls on file serving, enabling disclosure of confidential project data without requiring any credentials. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify Initiative instance URL
Exploit
Discover /uploads/ directory structure
Execution
Construct direct URL to sensitive document
Impact
Access confidential file without authentication
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Initiative versions prior to 0.32.2 with documents uploaded to the /uploads/ directory. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 7.5 (HIGH). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker without authentication could exploit this flaw, potential disclosure of sensitive documents.
Remediation Monitor vendor advisories for a patch. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit Initiative deployment version and identify all instances running versions prior to 0.32.2; disable document upload functionality if possible or restrict /uploads/ directory access at the network/firewall level. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-28276 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy