Description
Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.
Published: 2026-02-26
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Disclosure of Uploaded Documents
Action: Immediate Patch
AI Analysis

Impact

Initiative is a self-hosted project management platform. Versions before 0.32.2 lack authentication checks when serving documents from the /uploads/ directory. This flaw allows any user to request a file by URL and receive its contents without verification, resulting in confidential data exposure.

Affected Systems

The affected product is Morelitea Initiative. All installations running versions earlier than 0.32.2 are vulnerable. The vendor has released version 0.32.2 and a further improvement in 0.32.4 that address the issue.

Risk and Exploitability

The CVSS score of 7.5 indicates a medium–high severity, while the EPSS score of less than 1% suggests a low probability of active exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by simply accessing the file URL, bypassing any authentication mechanisms. A successful exploitation would allow an attacker to read any document uploaded by users, compromising confidentiality and potentially exposing sensitive project data.

Generated by OpenCVE AI on April 17, 2026 at 14:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 0.32.2 or later to apply the vendor-supplied fix that enforces authentication on /uploads/.
  • If an upgrade is not yet possible, configure the web server or reverse proxy to block public access to the /uploads/ directory and require authentication.
  • Implement monitoring of file access logs to detect unauthorized retrievals and validate that the access control policy is enforced.

Generated by OpenCVE AI on April 17, 2026 at 14:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:morelitea:initiative:*:*:*:*:*:*:*:*

Fri, 27 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Morelitea
Morelitea initiative
Vendors & Products Morelitea
Morelitea initiative

Thu, 26 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
Description Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.
Title Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint
Weaknesses CWE-200
CWE-284
CWE-862
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Morelitea Initiative
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-27T17:40:15.760Z

Reserved: 2026-02-26T01:52:58.734Z

Link: CVE-2026-28276

cve-icon Vulnrichment

Updated: 2026-02-27T17:37:39.411Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T23:16:37.397

Modified: 2026-02-27T19:06:01.180

Link: CVE-2026-28276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses