CVE-2026-28518: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Volcengine OpenViking
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
AI Analysis
Technical Summary
CVE-2026-28518 is a path traversal vulnerability (CWE-22) affecting Volcengine's OpenViking software versions 0.2.1 and prior. The issue exists in the handling of .ovpack imports, where attackers can include traversal sequences, absolute paths, or drive prefixes in ZIP archive member names. This allows writing files outside the intended directory, potentially leading to arbitrary file creation or overwriting with the privileges of the importing process. The vulnerability is addressed in a specific commit (46b3e76), but no direct patch link is provided in the data.
Potential Impact
Successful exploitation allows an attacker to write or overwrite arbitrary files on the system where OpenViking is running, using the privileges of the importing process. This can lead to unauthorized modification of files, potential code execution, or disruption of system integrity. The high CVSS score (8.4) reflects the significant risk posed by this vulnerability.
Mitigation Recommendations
A fix for this vulnerability is available as indicated by the referenced commit (46b3e76). Users should update OpenViking to a version that includes this fix. Since no official patch link is provided, users should consult the vendor's repository or advisory for the updated version. No cloud service remediation applies as this is not a cloud-hosted product. Until patched, avoid importing untrusted .ovpack files to mitigate risk.
CVE-2026-28518: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Volcengine OpenViking
Description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
CVSS v4.0
Score 8.4high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-28518 is a path traversal vulnerability (CWE-22) affecting Volcengine's OpenViking software versions 0.2.1 and prior. The issue exists in the handling of .ovpack imports, where attackers can include traversal sequences, absolute paths, or drive prefixes in ZIP archive member names. This allows writing files outside the intended directory, potentially leading to arbitrary file creation or overwriting with the privileges of the importing process. The vulnerability is addressed in a specific commit (46b3e76), but no direct patch link is provided in the data.
Potential Impact
Successful exploitation allows an attacker to write or overwrite arbitrary files on the system where OpenViking is running, using the privileges of the importing process. This can lead to unauthorized modification of files, potential code execution, or disruption of system integrity. The high CVSS score (8.4) reflects the significant risk posed by this vulnerability.
Mitigation Recommendations
A fix for this vulnerability is available as indicated by the referenced commit (46b3e76). Users should update OpenViking to a version that includes this fix. Since no official patch link is provided, users should consult the vendor's repository or advisory for the updated version. No cloud service remediation applies as this is not a cloud-hosted product. Until patched, avoid importing untrusted .ovpack files to mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-27T21:07:55.466Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a6f4b6d1a09e29cb4db07f
Added to database: 3/3/2026, 2:48:22 PM
Last enriched: 5/26/2026, 7:43:23 AM
Last updated: 6/1/2026, 1:57:33 PM
Views: 102
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.