The vulnerability CVE-2026-28276 affects the Morelitea Initiative, a self-hosted project management platform, in versions prior to 0.32.2. The root cause is an access control weakness where uploaded documents are stored in a web-accessible /uploads/ directory without any authentication or authorization enforcement. This means that any file uploaded to the platform can be accessed directly by anyone who knows or can guess the URL, including unauthenticated users such as those browsing in incognito mode. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information), CWE-284 (Improper Access Control), and CWE-862 (Missing Authorization), indicating multiple layers of access control failures. The exposure of sensitive documents can lead to unauthorized disclosure of confidential project data, intellectual property, or personal information. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting high severity due to its ease of exploitation (network accessible, no privileges or user interaction required) and the high impact on confidentiality. The issue was addressed in version 0.32.2, which introduced authentication and authorization checks for accessing uploaded files, with further improvements in 0.32.4 to enhance security. No known exploits have been reported in the wild as of the publication date, but the vulnerability presents a clear risk to organizations using affected versions of the software.

Organizations using vulnerable versions of the Morelitea Initiative platform risk unauthorized disclosure of sensitive documents uploaded to the system. This can lead to exposure of confidential business information, project plans, intellectual property, or personal data, potentially resulting in reputational damage, regulatory non-compliance, and financial losses. Since the vulnerability requires no authentication or user interaction, attackers can easily access sensitive files remotely, increasing the attack surface. The impact is primarily on confidentiality, with no direct effect on integrity or availability. However, the exposure of sensitive information can facilitate further attacks such as social engineering, corporate espionage, or targeted phishing campaigns. Organizations relying on Initiative for project management and document sharing should consider this vulnerability critical to their data protection posture.

1. Immediately upgrade the Morelitea Initiative platform to version 0.32.2 or later, preferably 0.32.4, to apply the official patches that enforce proper authentication and authorization on uploaded files. 2. If immediate upgrade is not possible, restrict access to the /uploads/ directory at the web server or reverse proxy level by implementing IP whitelisting, authentication gateways, or network segmentation to limit exposure. 3. Review and audit all uploaded documents to identify any sensitive information that may have been exposed and take appropriate incident response actions. 4. Implement logging and monitoring for access to the /uploads/ directory to detect any unauthorized access attempts. 5. Educate users and administrators about secure file handling practices and the importance of applying software updates promptly. 6. Consider deploying web application firewalls (WAFs) with rules to block unauthorized access to upload directories. 7. Regularly perform security assessments and penetration testing on the platform to identify and remediate similar access control weaknesses.