Executive Summary

CVE-2026-28675 is a security vulnerability in OpenSift, an AI study tool, where prior to version 1.6.3-alpha some API endpoints exposed raw exception messages and login token material directly to clients. This exposure could reveal sensitive internal error details and authentication tokens.

The vulnerability involves two main issues: leaking raw exception strings in responses, and exposing full login tokens in UI-rendered pages and token rotation outputs. These issues could aid attackers in gathering sensitive information to facilitate further attacks.

The problem was addressed by sanitizing error messages to avoid leaking raw exceptions, removing full token exposure from UI and API responses, and hardening URL ingestion and file path handling to prevent other related security risks.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing unauthorized remote attackers to gain sensitive information such as internal error details and authentication tokens without any privileges or user interaction.

Exposure of raw exception messages can reveal implementation details that help attackers understand the system and craft further attacks.

Exposure of login tokens in UI and API responses can enable attackers to hijack sessions or perform unauthorized actions if they obtain these tokens.

While the vulnerability does not directly affect data integrity or availability, it poses a confidentiality risk that could facilitate subsequent attacks.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves checking if your OpenSift deployment is running a version prior to 1.6.3-alpha, as those versions expose raw exception strings and login token material in API responses and UI renderings.'}, {'type': 'paragraph', 'content': 'You can detect potential exploitation or presence of the vulnerability by monitoring network traffic or API responses for raw exception messages or exposed tokens in endpoints related to login, token rotation, or error responses.'}, {'type': 'paragraph', 'content': 'Suggested commands to detect this include using curl or similar tools to query relevant endpoints and inspect responses for sensitive information exposure:'}, {'type': 'list_item', 'content': "curl -v http://your-opensift-instance/api/rotate-token -H 'Authorization: Bearer <token>'"}, {'type': 'list_item', 'content': 'curl -v http://your-opensift-instance/login -i'}, {'type': 'list_item', 'content': 'curl -v http://your-opensift-instance/settings -i'}, {'type': 'paragraph', 'content': 'Look for raw exception strings or full login tokens in the responses, which indicate the vulnerability is present.'}, {'type': 'paragraph', 'content': 'Additionally, reviewing logs for error messages that include raw exception details or token material can help detect the vulnerability.'}] [5]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade OpenSift to version 1.6.3-alpha or later, where the vulnerability has been patched.

If immediate upgrade is not possible, apply the following steps to reduce risk:

• Restrict access to authentication and settings endpoints (such as login, rotate-token, and settings pages) to trusted administrators only.
• Prefer password authentication over token-based authentication where feasible.
• Rotate all tokens immediately if there is any suspicion of token exposure.
• Monitor and sanitize logs and API responses to avoid leaking raw exception details.

These steps help prevent unauthorized access and reduce the risk of sensitive information leakage until the patched version is deployed.

Useful 0 Not Useful 0