CVE-2026-28518: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Volcengine OpenViking
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
AI Analysis
Technical Summary
CVE-2026-28518 is a path traversal vulnerability (CWE-22) affecting Volcengine's OpenViking product versions 0.2.1 and prior. The issue arises in the handling of .ovpack imports, where crafted ZIP archives containing directory traversal sequences, absolute paths, or drive prefixes in file member names can cause files to be written outside the intended directory. This allows an attacker to overwrite or create arbitrary files with the privileges of the process performing the import. The vulnerability is fixed in commit 46b3e76.
Potential Impact
Successful exploitation allows an attacker to write or overwrite arbitrary files on the system with the importing process's privileges, potentially leading to code execution, data corruption, or system compromise depending on the context and privileges of the importing process. The vulnerability is rated high severity with a CVSS 4.0 score of 8.4, indicating significant impact if exploited.
Mitigation Recommendations
A fix for this vulnerability is available and was implemented in commit 46b3e76. Users of OpenViking should upgrade to a version including this fix or apply the patch from the referenced commit to prevent exploitation. No additional vendor advisory is provided, so check the official Volcengine resources for updated releases or patches.
CVE-2026-28518: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Volcengine OpenViking
Description
OpenViking versions 0.2.1 and prior, fixed in commit 46b3e76, contain a path traversal vulnerability in the .ovpack import handling that allows attackers to write files outside the intended import directory. Attackers can craft malicious ZIP archives with traversal sequences, absolute paths, or drive prefixes in member names to overwrite or create arbitrary files with the importing process privileges.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-28518 is a path traversal vulnerability (CWE-22) affecting Volcengine's OpenViking product versions 0.2.1 and prior. The issue arises in the handling of .ovpack imports, where crafted ZIP archives containing directory traversal sequences, absolute paths, or drive prefixes in file member names can cause files to be written outside the intended directory. This allows an attacker to overwrite or create arbitrary files with the privileges of the process performing the import. The vulnerability is fixed in commit 46b3e76.
Potential Impact
Successful exploitation allows an attacker to write or overwrite arbitrary files on the system with the importing process's privileges, potentially leading to code execution, data corruption, or system compromise depending on the context and privileges of the importing process. The vulnerability is rated high severity with a CVSS 4.0 score of 8.4, indicating significant impact if exploited.
Mitigation Recommendations
A fix for this vulnerability is available and was implemented in commit 46b3e76. Users of OpenViking should upgrade to a version including this fix or apply the patch from the referenced commit to prevent exploitation. No additional vendor advisory is provided, so check the official Volcengine resources for updated releases or patches.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-27T21:07:55.466Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69a6f4b6d1a09e29cb4db07f
Added to database: 3/3/2026, 2:48:22 PM
Last enriched: 4/3/2026, 12:58:32 PM
Last updated: 4/18/2026, 7:46:30 AM
Views: 48
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.