CVE-2026-27189
Race Condition in OpenSift Local JSON Persistence Causes Data Corruption
Publication date: 2026-02-21
Last updated on: 2026-02-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opensift | opensift | to 1.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-362 | The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently. |
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27189 is a race condition vulnerability in OpenSift versions 1.1.2-alpha and below. It affects the local JSON persistence mechanisms used by various components such as session, study, quiz, flashcard, wellness, and authentication stores.
The issue arises because the local persistence operations are non-atomic and insufficiently synchronized, meaning that concurrent operations can interfere with each other. This can lead to lost updates or corrupted local state across different sessions or stores.
The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition).
The problem was fixed in OpenSift version 1.1.3-alpha by implementing lock-guarded atomic writes and synchronizing shared in-memory mutation paths to prevent race conditions.
How can this vulnerability impact me? :
This vulnerability can cause high integrity loss due to corrupted or lost data in local JSON persistence stores used by OpenSift.
Specifically, concurrent operations may overwrite or corrupt session, study, quiz, flashcard, wellness, or authentication data, potentially leading to inconsistent or incorrect application behavior.
The attack vector is local, requiring low privileges and no user interaction, so an attacker with local access could exploit this to cause data corruption.
Confidentiality and availability impacts are low, but the integrity impact is high, meaning the main risk is incorrect or lost data rather than data exposure or denial of service.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability arises from race conditions in local JSON persistence within OpenSift versions 1.1.2-alpha and below, causing potential state corruption or lost updates during concurrent operations.
Detection involves checking the version of OpenSift installed on your system to see if it is vulnerable (i.e., version 1.1.2-alpha or below).
Since the issue is local and related to file persistence, network detection is not applicable.
- Run a command to check the OpenSift version, for example: `opensift --version` or check the version in the installed package metadata.
- Inspect the presence of affected Python modules (flashcard_store.py, opensift.py, quiz_store.py, session_store.py, study_store.py, test_auth_session_streaming.py, wellness.py) and verify if they are from a vulnerable version.
No specific commands for detecting race conditions or corrupted state files are provided in the resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade OpenSift to version 1.1.3-alpha or later, where the vulnerability has been fixed.
The fix involves migrating local JSON persistence to lock-guarded atomic writes, preventing race conditions and state corruption.
Until the upgrade is applied, avoid running concurrent operations that modify local JSON persistence stores to reduce the risk of corruption.