CVE-2026-28276
Unauthorized Access via Unauthenticated File Exposure in Initiative Uploads
Publication date: 2026-02-26
Last updated on: 2026-02-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| morelitea | initiative | to 0.32.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the Initiative project management platform versions prior to 0.32.2. It is an access control flaw where uploaded documents are stored in a publicly accessible /uploads/ directory without any authentication or authorization checks.
This means that any uploaded file can be accessed directly by anyone via its URL, even if they are not logged in or authenticated, such as through an incognito browser session.
This can lead to the unintended disclosure of sensitive documents.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive documents that were uploaded to the Initiative platform.
Since files are accessible without authentication, confidential or private information could be exposed to anyone who obtains the direct URL.
This exposure could result in data breaches, loss of confidentiality, and potential harm to individuals or organizations relying on the platform for secure document management.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves uploaded documents being accessible without authentication via the /uploads/ directory. To detect it, you can attempt to access uploaded files directly through their URLs in an unauthenticated context, such as an incognito browser session.
You can also check your server or application logs for requests to the /uploads/ directory from unauthenticated users.
Specific commands to detect this vulnerability are not provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability was patched in Initiative version 0.32.2, with further improvements in version 0.32.4.
Immediate mitigation steps include upgrading your Initiative installation to at least version 0.32.2 or later.
Until the upgrade is applied, restrict public access to the /uploads/ directory by implementing authentication and authorization checks or by configuring your web server to block unauthenticated access to that directory.