← Back to CVEs
CVE-2026-28276
HIGH7.5
Description
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.
CVE Details
CVSS v3.1 Score7.5
SeverityHIGH
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published2/26/2026
Last Modified2/27/2026
Sourcenvd
Honeypot Sightings0
Affected Products
morelitea:initiative
Weaknesses (CWE)
CWE-200CWE-284CWE-862
References
https://github.com/Morelitea/initiative/releases/tag/v0.32.2(security-advisories@github.com)
https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.