CVE-2026-28795 identifies a critical path traversal vulnerability (CWE-22) in the openchatbi project, an intelligent chat-based business intelligence tool leveraging large language models for data querying and visualization. The vulnerability resides in the save_report.py script, specifically in the handling of the file_format parameter. Prior to version 0.2.2, this parameter is not properly sanitized, allowing an attacker to craft malicious input that traverses directories beyond the intended restricted folder. This improper limitation of pathname enables attackers to read or write arbitrary files on the server hosting openchatbi. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score of 8.7 reflects its high severity, with network attack vector, low attack complexity, and no privileges or user interaction required. The impact is confined to confidentiality due to unauthorized file access, with no direct integrity or availability impact reported. The vulnerability was publicly disclosed and patched in version 0.2.2, but no known exploits have been observed in the wild as of the publication date. Given openchatbi's role in handling sensitive business intelligence data, exploitation could lead to significant data exposure or manipulation risks.

The exploitation of this path traversal vulnerability can have severe consequences for organizations relying on openchatbi for data analytics and reporting. Attackers can access sensitive configuration files, user data, or other critical system files outside the intended directory, leading to confidentiality breaches. Unauthorized file overwrites could also disrupt application functionality or facilitate further compromise through planting malicious files or scripts. Since the vulnerability requires no authentication and can be triggered remotely, it significantly lowers the barrier for attackers, including opportunistic threat actors and automated scanning tools. Organizations in sectors with high data sensitivity, such as finance, healthcare, and government, face elevated risks of data leakage and compliance violations. Additionally, attackers could leverage this vulnerability as a foothold for lateral movement within the network or to escalate privileges if combined with other vulnerabilities. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks, especially as the vulnerability details are public.

To mitigate CVE-2026-28795, organizations should immediately upgrade openchatbi to version 0.2.2 or later, where the vulnerability has been patched. If upgrading is not immediately feasible, implement strict input validation and sanitization on the file_format parameter to prevent directory traversal sequences such as '../'. Employ application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block suspicious path traversal attempts targeting the save_report endpoint. Restrict file system permissions for the openchatbi application user to limit access strictly to necessary directories, minimizing the impact of any potential exploitation. Conduct thorough code reviews and penetration testing focusing on file handling functions to identify similar vulnerabilities. Monitor logs for unusual file access patterns or errors related to file operations. Finally, maintain an incident response plan tailored to data breaches involving business intelligence tools to ensure rapid containment and remediation if exploitation occurs.