CVE-2026-27170

Published: Feb 21, 2026Modified: Feb 23, 2026

7.1

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Exploitability: 2.8 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. In versions 1.1.2-alpha and below, URL ingest allows overly permissive server-side fetch behavior and can be coerced into requesting unsafe targets. Potential access/probing of private/local network resources from the OpenSift host process when ingesting attacker-controlled URLs. This issue has been fixed in version 1.1.3-alpha. To workaround when using trusted local-only exceptions, use OPENSIFT_ALLOW_PRIVATE_URLS=true with caution.

Affected (1)

Products: Opensift: Opensift

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Opensift Opensift	Before 1.1.3

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

References (2)

https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3w2r-hj5p-h6pp

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.