CVE-2026-28518
Published: 03 March 2026
Summary
CVE-2026-28518 is a high-severity Path Traversal (CWE-22) vulnerability in Volcengine Openviking. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 3.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of ZIP archive member names and paths during .ovpack imports to block traversal sequences, absolute paths, and drive prefixes.
Mandates timely installation of patches, such as the fix in commit 46b3e76, to remediate the path traversal flaw in OpenViking import handling.
Limits the importing process to least privilege, reducing the impact of arbitrary file writes outside the intended directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is triggered by a user importing a crafted malicious .ovpack archive (ZIP), directly mapping to user execution of a malicious file; the path traversal primitive then enables arbitrary file write/overwrite for follow-on impact.
NVD Description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute…
more
paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
Deeper analysisAI
CVE-2026-28518 is a path traversal vulnerability (CWE-22) affecting OpenViking versions 0.2.1 and prior, specifically in the handling of .ovpack file imports. The flaw enables attackers to write files outside the intended import directory by crafting malicious ZIP archives that include path traversal sequences, absolute paths, or drive prefixes in member names. This allows overwriting or creating arbitrary files with the privileges of the importing process. The vulnerability has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and was published on 2026-03-03.
An attacker with local access can exploit this vulnerability without privileges by tricking a user into importing a malicious .ovpack ZIP archive, as user interaction is required. Successful exploitation grants the ability to overwrite or create arbitrary files on the system, potentially leading to high-impact confidentiality, integrity, and availability compromises depending on the targeted files and process privileges.
The vulnerability is fixed in OpenViking commit 46b3e76e28b9b3eee73693720c9ec48820228b72. Advisories from VulnCheck detail the Zip Slip-style path traversal in .ovpack import handling, while GitHub issues #342 provide additional context on the discovery and resolution. Security practitioners should update to the patched commit and validate ZIP archives during imports to mitigate risks.
Details
- CWE(s)