Description

Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.

INFO

Published Date :

2026-02-26T22:57:36.406Z

Last Modified :

2026-02-27T17:40:15.760Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28276 vulnerability.

Vendors Products
Morelitea
  • Initiative
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28276.

URL Resource
https://github.com/Morelitea/initiative/releases/tag/v0.32.2 cve-icon cve-icon
https://github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pq cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact