CVE-2026-28518 is a path traversal vulnerability classified under CWE-22 affecting Volcengine's OpenViking software, specifically versions 0.2.1 and prior. The vulnerability arises from improper validation and limitation of file paths during the import of .ovpack files, which are ZIP archives used by OpenViking. Attackers can craft malicious ZIP archives containing directory traversal sequences (e.g., ../), absolute paths, or drive letter prefixes in the archive member names. When these archives are imported, the software fails to restrict file extraction to the intended directory, allowing files to be written or overwritten anywhere on the filesystem accessible by the importing process. This can lead to arbitrary file creation or modification, potentially enabling code execution, privilege escalation, or disruption of system operations. The vulnerability does not require authentication but does require user interaction to initiate the import process. The CVSS 4.0 base score is 8.4, reflecting high severity due to the potential for high impact on confidentiality, integrity, and availability, combined with low attack complexity and no privileges required. The issue was fixed in a specific commit (46b3e76), but no official patch links are provided in the data. No known exploits have been reported in the wild as of the publication date. The vulnerability is particularly relevant for environments using OpenViking for cloud-native application packaging and deployment, where improper file writes could compromise container images, deployment configurations, or host systems.

The impact of CVE-2026-28518 is significant for organizations utilizing Volcengine OpenViking, especially in cloud-native and containerized environments. Successful exploitation can lead to unauthorized file writes outside the intended directory, potentially overwriting critical system or application files. This can result in arbitrary code execution, privilege escalation, or disruption of services, severely affecting confidentiality, integrity, and availability. Attackers could implant backdoors, modify deployment manifests, or corrupt application binaries, leading to persistent compromise or denial of service. Since the vulnerability requires user interaction but no authentication, social engineering or supply chain attacks could be vectors for exploitation. The broad scope of affected systems and the high privileges of the importing process amplify the risk. Organizations relying on OpenViking for software packaging and deployment must consider this vulnerability a critical risk to their software supply chain security and operational stability.

To mitigate CVE-2026-28518, organizations should immediately update OpenViking to the fixed version containing commit 46b3e76 or later. If an update is not immediately possible, restrict access to the import functionality to trusted users and environments only. Implement strict input validation and sanitization on .ovpack files before import, including rejecting archives with traversal sequences, absolute paths, or drive prefixes in member names. Employ runtime protections such as filesystem access controls and sandboxing to limit the impact of unauthorized file writes. Monitor file system changes in directories used by OpenViking imports for suspicious activity. Educate users about the risks of importing untrusted packages and enforce policies to verify package integrity and provenance. Additionally, integrate security scanning of .ovpack files in CI/CD pipelines to detect malicious content before deployment. Regularly audit and review deployment environments for unexpected file modifications that could indicate exploitation.