Unrated severityNVD Advisory· Published Feb 26, 2026· Updated Feb 27, 2026

Initiative Allows Unauthenticated Access to Uploaded Documents via Public /uploads/ Endpoint

CVE-2026-28276

Description

Initiative is a self-hosted project management platform. An access control vulnerability exists in Initiative versions prior to 0.32.2 where uploaded documents are served from a publicly accessible /uploads/ directory without any authentication or authorization checks. Any uploaded file can be accessed directly via its URL by unauthenticated users (e.g., in an incognito browser session), leading to potential disclosure of sensitive documents. The problem was patched in v0.32.2, and the patch was further improved on in 032.4.

Affected products

Initiative/Initiativellm-create
Range: <0.32.2
Morelitea/initiativev5
Range: < 0.32.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/Morelitea/initiative/releases/tag/v0.32.2mitrex_refsource_MISC
github.com/Morelitea/initiative/security/advisories/GHSA-w34j-fx72-h2pqmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000