CVE-2026-28795 Overview
CVE-2026-28795 is a critical path traversal vulnerability affecting OpenChatBI, an intelligent chat-based business intelligence tool powered by large language models. The vulnerability exists in the save_report tool located in openchatbi/tool/save_report.py, where insufficient input sanitization of the file_format parameter allows attackers to traverse file system directories and potentially access or overwrite arbitrary files on the server.
OpenChatBI is designed to help users query, analyze, and visualize data through natural language conversations. Prior to version 0.2.2, the application failed to properly validate and restrict the file format input, creating an exploitable path traversal condition.
Critical Impact
Unauthenticated attackers can exploit this path traversal vulnerability to read sensitive files from the server or potentially overwrite critical system files, leading to data exposure or system compromise.
Affected Products
- zhongyu09 openchatbi versions prior to 0.2.2
Discovery Timeline
- 2026-03-06 - CVE CVE-2026-28795 published to NVD
- 2026-03-10 - Last updated in NVD database
Technical Details for CVE-2026-28795
Vulnerability Analysis
This path traversal vulnerability (CWE-22) stems from the save_report tool's failure to validate and sanitize the file_format parameter before using it in file operations. The vulnerability is network-accessible without requiring authentication or user interaction, making it particularly dangerous for internet-facing deployments.
When the save_report tool processes user input, the file_format field accepts arbitrary strings without proper validation. An attacker could craft malicious input containing directory traversal sequences (such as ../) to escape the intended directory structure and access files outside the expected report storage location.
The impact of successful exploitation includes unauthorized access to sensitive configuration files, database credentials, application source code, or other confidential data stored on the server. Additionally, depending on the application's file handling logic, attackers may be able to overwrite existing files, potentially leading to code execution or denial of service.
Root Cause
The root cause of this vulnerability is the lack of input validation on the file_format parameter in the SaveReportInput class. The original implementation accepted any string value for the file format without restricting it to a predefined list of safe extensions. This allowed attackers to inject path traversal sequences or arbitrary file extensions that could be used to access or manipulate files outside the intended directory scope.
Attack Vector
The attack vector for CVE-2026-28795 is network-based, requiring no authentication or privileges. An attacker can exploit this vulnerability by sending a crafted request to the save_report tool with a malicious file_format value containing path traversal sequences. The application's failure to sanitize this input allows the attacker to manipulate file paths and access unauthorized resources.
# Security patch showing the fix implementation
# Source: https://github.com/zhongyu09/openchatbi/commit/372a7e861da5159c3106d64d6f6edf8284db8c75
class SaveReportInput(BaseModel):
content: str = Field(description="The content of the report to save")
title: str = Field(description="The title of the report (will be used in filename)")
- file_format: str = Field(description="The file format/extension (e.g., 'md', 'csv', 'txt', 'json')")
+ file_format: str = Field(
+ description="The file format/extension, only support 'md', 'csv', 'txt', 'json', 'html', 'xml'")
@tool("save_report", args_schema=SaveReportInput, return_direct=False, infer_schema=True)
The patch restricts the file_format parameter to an allowlist of safe file extensions (md, csv, txt, json, html, xml), preventing path traversal attempts through this parameter.
Detection Methods for CVE-2026-28795
Indicators of Compromise
- Unusual file access patterns in web server or application logs showing path traversal sequences (../, ..%2f, %2e%2e/)
- Requests to the save_report endpoint containing unexpected file format values with directory separators
- Log entries indicating attempts to access system files or directories outside the report storage location
- Anomalous file read or write operations in the OpenChatBI application directory
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns in the file_format parameter
- Configure intrusion detection systems (IDS) to alert on requests matching known path traversal signatures
- Enable verbose application logging for the save_report tool to capture all input parameters
- Deploy file integrity monitoring on critical system files and configuration directories
Monitoring Recommendations
- Monitor network traffic to OpenChatBI instances for requests containing encoded path traversal sequences
- Establish baseline file access patterns and alert on deviations in the application's report storage directory
- Review application logs regularly for failed file operations or access denied errors that may indicate exploitation attempts
- Configure SIEM alerts for multiple path traversal attempts from the same source IP
How to Mitigate CVE-2026-28795
Immediate Actions Required
- Upgrade OpenChatBI to version 0.2.2 or later immediately
- Review application and web server logs for signs of exploitation attempts
- If upgrade is not immediately possible, implement network-level controls to restrict access to the OpenChatBI instance
- Audit any files that may have been accessed or modified through exploitation of this vulnerability
Patch Information
The vulnerability has been patched in OpenChatBI version 0.2.2. The fix implements an allowlist restriction on the file_format parameter, limiting accepted values to safe file extensions: md, csv, txt, json, html, and xml.
For detailed patch information, refer to:
Workarounds
- Implement input validation at the web server or reverse proxy level to reject requests containing path traversal patterns
- Restrict network access to OpenChatBI instances using firewall rules to limit exposure
- Deploy a web application firewall (WAF) with rules to block path traversal attempts
# Example nginx configuration to block path traversal attempts
location /save_report {
# Block requests with path traversal patterns
if ($request_body ~* "\.\./|\.\.\\") {
return 403;
}
proxy_pass http://openchatbi_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
