CVE-2026-27189 - Vulnerability Details

- OpenSift: Race-prone local persistence could cause state corruption/loss

Description

OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below, use non-atomic and insufficiently synchronized local JSON persistence flows, potentially causing concurrent operations to lose updates or corrupt local state across sessions/study/quiz/flashcard/wellness/auth stores. This issue has been fixed in version 1.1.3-alpha.

Published: 2026-02-21

Score: 6.6 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

OpenSift’s local JSON persistence was designed without atomic operations or adequate synchronization, creating a race condition that can cause concurrent read/write operations to overwrite or lose data. The result is loss or corruption of user state across study, quiz, flashcard, wellness, or authentication stores, potentially erasing progress or changing quiz outcomes. The weakness aligns with CWE‑362 (Concurrent Execution with Shared Resource) and CWE‑367 (Deadlock or Resource Starvation).

Affected Systems

The vulnerability affects the OpenSift AI study tool, specifically versions 1.1.2‑alpha and earlier. Updated builds beginning with 1.1.3‑alpha contain the fix and are not affected.

Risk and Exploitability

The CVSS score of 6.6 indicates a moderate severity, with an EPSS score below 1% suggesting a low probability of exploitation. The issue is not listed in the CISA KEV catalog. The likely attack scenario is local or co‑located users performing parallel operations that trigger the race condition; non‑remote exploitation. No public exploit is documented. The impact is limited to data integrity rather than remote code execution or privilege escalation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

OpenSift

affected

Version	Status	Constraints
`< 1.1.3-alpha`	affected	—

Configuration 1 [-]

cpe:2.3:a:opensift:opensift:*:*:*:*:*:python:*:*

No data.

Vendor Product Confidence Versions

Opensift

100%

Version	Status	Scheme	Platform
`[0,1.1.3-alpha)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade OpenSift to version 1.1.3-alpha or later to apply the vendor‑provided fix.
If an upgrade is not immediately possible, ensure that only one process or thread accesses the local JSON persistence at a time by implementing application‑level locks or disabling concurrent operations during critical edits.
As a temporary workaround, manually back up the local state before performing intensive operations and restore if corruption is detected; consider moving critical data to a more robust storage mechanism such as a local database that supports atomic transactions.

Generated by OpenCVE AI on April 17, 2026 at 16:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00005.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha
https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3pmp-j953-whxq

History

Wed, 25 Feb 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 23 Feb 2026 21:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:opensift:opensift::::::python::*

Mon, 23 Feb 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opensift Opensift opensift
Vendors & Products		Opensift Opensift opensift

Sat, 21 Feb 2026 00:15:00 +0000

Type	Values Removed	Values Added
Description		OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below, use non-atomic and insufficiently synchronized local JSON persistence flows, potentially causing concurrent operations to lose updates or corrupt local state across sessions/study/quiz/flashcard/wellness/auth stores. This issue has been fixed in version 1.1.3-alpha.
Title		OpenSift: Race-prone local persistence could cause state corruption/loss
Weaknesses		CWE-362 CWE-367
References		https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3pmp-j953-whxq
Metrics		cvssV3_1 `{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}`

Subscriptions

Opensift Opensift

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-02-21T00:01:46.960Z

Updated: 2026-02-25T21:25:52.502Z

Reserved: 2026-02-18T19:47:02.153Z

Link: CVE-2026-27189

Vulnrichment

Updated: 2026-02-25T21:25:47.592Z

NVD

Status : Analyzed

Published: 2026-02-21T00:16:17.140

Modified: 2026-02-23T20:48:59.453

Link: CVE-2026-27189

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T17:00:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object