CVE-2026-28276
Published: 26 February 2026
Summary
CVE-2026-28276 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Morelitea Initiative. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-28276 is an access control vulnerability affecting Initiative, a self-hosted project management platform, in versions prior to 0.32.2. The flaw occurs because uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks, allowing direct access to any uploaded file via its URL. This issue is classified under CWE-200 (Exposure of Sensitive Information), CWE-284 (Improper Access Control), and CWE-862 (Missing Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from a network-accessible attack with low complexity and no privileges required.
Unauthenticated attackers, such as those using an incognito browser session, can exploit this vulnerability by simply knowing or guessing the direct URL of an uploaded file in the /uploads/ directory. Successful exploitation leads to unauthorized disclosure of sensitive documents that users intended to keep private within the platform, potentially exposing confidential project data, intellectual property, or other restricted information without requiring any prior access to the Initiative instance.
The vulnerability was patched in Initiative version 0.32.2, with the fix further improved in version 0.32.4. Security practitioners should upgrade to at least v0.32.2 or later, as detailed in the GitHub release notes at https://github.com/Morelitea/initiative/releases/tag/v0.32.2 and the security advisory at https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq. No additional workarounds are specified in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8921
Vulnerability details
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be…
more
accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in a public-facing web application that directly exposes uploaded files via predictable URLs, enabling remote unauthenticated data access consistent with exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations for access to system resources like the /uploads/ directory, directly preventing unauthenticated access to uploaded documents.
SC-14 mandates controls to restrict public access on system interfaces such as the publicly exposed /uploads/ endpoint, mitigating direct URL access by unauthenticated users.
AC-22 ensures review and designation of publicly accessible content, preventing sensitive uploaded documents from being inadvertently exposed without authorization checks.