CVE-2026-27189
Received Received - Intake
Race Condition in OpenSift Local JSON Persistence Causes Data Corruption

Publication date: 2026-02-21

Last updated on: 2026-02-23

Assigner: GitHub, Inc.

Description
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below, use non-atomic and insufficiently synchronized local JSON persistence flows, potentially causing concurrent operations to lose updates or corrupt local state across sessions/study/quiz/flashcard/wellness/auth stores. This issue has been fixed in version 1.1.3-alpha.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-21
Last Modified
2026-02-23
Generated
2026-06-16
AI Q&A
2026-02-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27189
EUVD
EUVD-2026-7744
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opensift opensift to 1.1.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27189 is a race condition vulnerability in OpenSift versions 1.1.2-alpha and below. It affects the local JSON persistence mechanisms used by various components such as session, study, quiz, flashcard, wellness, and authentication stores.

The issue arises because the local persistence operations are non-atomic and insufficiently synchronized, meaning that concurrent operations can interfere with each other. This can lead to lost updates or corrupted local state across different sessions or stores.

The vulnerability is classified under CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization) and CWE-367 (Time-of-check Time-of-use (TOCTOU) Race Condition).

The problem was fixed in OpenSift version 1.1.3-alpha by implementing lock-guarded atomic writes and synchronizing shared in-memory mutation paths to prevent race conditions.

Impact Analysis

This vulnerability can cause high integrity loss due to corrupted or lost data in local JSON persistence stores used by OpenSift.

Specifically, concurrent operations may overwrite or corrupt session, study, quiz, flashcard, wellness, or authentication data, potentially leading to inconsistent or incorrect application behavior.

The attack vector is local, requiring low privileges and no user interaction, so an attacker with local access could exploit this to cause data corruption.

Confidentiality and availability impacts are low, but the integrity impact is high, meaning the main risk is incorrect or lost data rather than data exposure or denial of service.

Compliance Impact

I don't know

Detection Guidance

This vulnerability arises from race conditions in local JSON persistence within OpenSift versions 1.1.2-alpha and below, causing potential state corruption or lost updates during concurrent operations.

Detection involves checking the version of OpenSift installed on your system to see if it is vulnerable (i.e., version 1.1.2-alpha or below).

Since the issue is local and related to file persistence, network detection is not applicable.

  • Run a command to check the OpenSift version, for example: `opensift --version` or check the version in the installed package metadata.
  • Inspect the presence of affected Python modules (flashcard_store.py, opensift.py, quiz_store.py, session_store.py, study_store.py, test_auth_session_streaming.py, wellness.py) and verify if they are from a vulnerable version.

No specific commands for detecting race conditions or corrupted state files are provided in the resources.

Mitigation Strategies

The primary mitigation step is to upgrade OpenSift to version 1.1.3-alpha or later, where the vulnerability has been fixed.

The fix involves migrating local JSON persistence to lock-guarded atomic writes, preventing race conditions and state corruption.

Until the upgrade is applied, avoid running concurrent operations that modify local JSON persistence stores to reduce the risk of corruption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27189. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart