Cyber Resilience

CVE-2026-28276

High

Published: 26 February 2026

Published
26 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0015 35.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28276 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Morelitea Initiative. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-28276 is an access control vulnerability affecting Initiative, a self-hosted project management platform, in versions prior to 0.32.2. The flaw occurs because uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks, allowing direct access to any uploaded file via its URL. This issue is classified under CWE-200 (Exposure of Sensitive Information), CWE-284 (Improper Access Control), and CWE-862 (Missing Authorization), with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact from a network-accessible attack with low complexity and no privileges required.

Unauthenticated attackers, such as those using an incognito browser session, can exploit this vulnerability by simply knowing or guessing the direct URL of an uploaded file in the /uploads/ directory. Successful exploitation leads to unauthorized disclosure of sensitive documents that users intended to keep private within the platform, potentially exposing confidential project data, intellectual property, or other restricted information without requiring any prior access to the Initiative instance.

The vulnerability was patched in Initiative version 0.32.2, with the fix further improved in version 0.32.4. Security practitioners should upgrade to at least v0.32.2 or later, as detailed in the GitHub release notes at https://github.com/Morelitea/initiative/releases/tag/v0.32.2 and the security advisory at https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq. No additional workarounds are specified in the provided references.

EU & UK References

Vulnerability details

Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be…

more

accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a missing authorization flaw in a public-facing web application that directly exposes uploaded files via predictable URLs, enabling remote unauthenticated data access consistent with exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28274Same product: Morelitea Initiative
CVE-2026-28275Same product: Morelitea Initiative
CVE-2025-69220Shared CWE-284, CWE-862
CVE-2025-70985Shared CWE-284, CWE-862
CVE-2026-2894Shared CWE-200, CWE-284
CVE-2026-2148Shared CWE-200, CWE-284
CVE-2026-2055Shared CWE-200, CWE-284
CVE-2026-2054Shared CWE-200, CWE-284
CVE-2025-70986Shared CWE-284, CWE-862
CVE-2025-0481Shared CWE-200, CWE-284

Affected Assets

morelitea
initiative
≤ 0.32.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access to system resources like the /uploads/ directory, directly preventing unauthenticated access to uploaded documents.

prevent

SC-14 mandates controls to restrict public access on system interfaces such as the publicly exposed /uploads/ endpoint, mitigating direct URL access by unauthenticated users.

prevent

AC-22 ensures review and designation of publicly accessible content, preventing sensitive uploaded documents from being inadvertently exposed without authorization checks.

References