CVE-2026-28276
Published: 26 February 2026
Summary
CVE-2026-28276 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Morelitea Initiative. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Enforces rules governing access to the system and its data from external systems based on established trust relationships.
This control requires verifying that a sharing partner's access authorizations match the information's restrictions before sharing occurs.
Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.
Sanitizing equipment to remove specified information before off-site maintenance prevents exposure of sensitive information to unauthorized actors such as external maintenance personnel.
Requiring detailed, requestable records of every PII disclosure directly aids detection of unauthorized exposures of sensitive information.
Data governance body defines and oversees organizational access control policies for data resources, reducing improper access control.
Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in a public-facing web application that directly exposes uploaded files via predictable URLs, enabling remote unauthenticated data access consistent with exploitation of public-facing applications.
NVD Description
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be…
more
accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.
Deeper analysisAI
CVE-2026-28276 is an access control vulnerability affecting Initiative, a self-hosted project management platform, in versions prior to 0.32.2. The flaw occurs because uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks, allowing direct access to any uploaded file via its URL. This issue is classified under CWE-200 (Exposure of Sensitive Information), CWE-284 (Improper Access Control), and CWE-862 (Missing Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from a network-accessible attack with low complexity and no privileges required.
Unauthenticated attackers, such as those using an incognito browser session, can exploit this vulnerability by simply knowing or guessing the direct URL of an uploaded file in the /uploads/ directory. Successful exploitation leads to unauthorized disclosure of sensitive documents that users intended to keep private within the platform, potentially exposing confidential project data, intellectual property, or other restricted information without requiring any prior access to the Initiative instance.
The vulnerability was patched in Initiative version 0.32.2, with the fix further improved in version 0.32.4. Security practitioners should upgrade to at least v0.32.2 or later, as detailed in the GitHub release notes at https://github.com/Morelitea/initiative/releases/tag/v0.32.2 and the security advisory at https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq. No additional workarounds are specified in the provided references.
Details
- CWE(s)