Path Traversal Vulnerability in OpenViking by Volcengine
CVE-2026-28518

8.4HIGH

Key Information:

Vendor

Volcengine

Status
Openviking
Vendor
CVE Published:
3 March 2026

What is CVE-2026-28518?

OpenViking versions 0.2.1 and earlier are susceptible to a path traversal vulnerability during the .ovpack import process. This weakness allows malicious users to create specially crafted ZIP archives containing traversal sequences, absolute paths, or drive prefixes. Exploiting this vulnerability allows attackers to write files outside of the designated import directory, potentially overwriting existing files or creating new ones with the privileges of the importing process, posing significant security risks.

Affected Version(s)

OpenViking 0 <= 0.2.1

OpenViking 46b3e76e28b9b3eee73693720c9ec48820228b72

References

https://github.com/volcengine/OpenViking/issues/342
issue-tracking
https://github.com/volcengine/OpenViking/commit/46b3e76e2...
patch
https://www.vulncheck.com/advisories/openviking-ovpack-im...
third-party-advisory

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
.