CVE-2026-28276

Published: Feb 26, 2026Modified: Feb 27, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: security-advisories@github.com (Secondary)

Description

Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.

Affected (1)

Products: Morelitea: Initiative

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Morelitea Initiative	Before 0.32.2

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (2)

https://github.com/Morelitea/initiative/releases/tag/v0.32.2

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.