Description
OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, some endpoints returned raw exception strings to clients. Additionally, login token material was exposed in UI/rendered responses and token rotation output. This issue has been patched in version 1.6.3-alpha.
Published: 2026-03-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The vulnerability in OpenSift allows clients to receive raw exception strings from certain endpoints and to view login token material through the UI and token rotation responses. This exposure reveals implementation details and authentication tokens, which could be used by an attacker to gain sensitive information about the system configuration.

Affected Systems

OpenSift prior to version 1.6.3‑alpha. All deployments that have the default configuration exposing raw exception messages and token payloads are affected. The vulnerability is limited to OpenSift products; no other vendors are impacted at this time.

Risk and Exploitability

The CVSS base score of 5.3 and EPSS below 1% indicate a moderate likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, attackers who can send requests to the affected API endpoints may trigger unhandled exceptions, causing raw exception strings to be returned, and they may also retrieve login token material from the UI and token rotation responses. The exposure enables an attacker to gather sensitive implementation details and user authentication tokens. The risk is elevated when the vulnerable endpoints are accessible over the network, though the description does not specify authentication requirements. No privileged local access is required to exploit the disclosed information.

Generated by OpenCVE AI on April 17, 2026 at 12:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenSift to version 1.6.3‑alpha or later, which removes raw exception strings and hides token data.
  • Reconfigure the application to suppress stack trace contents in error responses; ensure only generic error messages are returned to clients.
  • Modify the UI and token rotation API to exclude any login token material from client‑side renderings, and confirm that no sensitive information is included in the response payloads.
  • Enforce authentication and proper access control on the vulnerable endpoints to limit exposure to authorized users only.

Generated by OpenCVE AI on April 17, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opensift:opensift:*:*:*:*:*:python:*:*

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Opensift
Opensift opensift
Vendors & Products Opensift
Opensift opensift

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Prior to version 1.6.3-alpha, some endpoints returned raw exception strings to clients. Additionally, login token material was exposed in UI/rendered responses and token rotation output. This issue has been patched in version 1.6.3-alpha.
Title OpenSift: Sensitive implementation details exposed via raw exception messages and token-returning endpoints
Weaknesses CWE-200
CWE-209
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Opensift Opensift
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-09T19:49:23.221Z

Reserved: 2026-03-02T21:43:19.926Z

Link: CVE-2026-28675

cve-icon Vulnrichment

Updated: 2026-03-09T19:49:19.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:35.900

Modified: 2026-03-18T13:04:29.440

Link: CVE-2026-28675

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses