CVE-2026-28518
📋 TL;DR
OpenViking versions 0.2.1 and earlier contain a path traversal vulnerability in .ovpack import handling that allows attackers to write arbitrary files outside intended directories. Attackers can craft malicious ZIP archives with traversal sequences to overwrite or create files with the importing process privileges. This affects all users of vulnerable OpenViking versions.
💻 Affected Systems
- OpenViking
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file overwrite leading to privilege escalation, remote code execution, or system destruction.
Likely Case
Local file corruption, data loss, or limited privilege escalation depending on process permissions.
If Mitigated
Contained file system damage limited to user's own directories if running with minimal privileges.
🎯 Exploit Status
Exploitation requires user to import a malicious .ovpack file. ZIP slip techniques are well-documented and easy to implement.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 46b3e76e28b9b3eee73693720c9ec48820228b72
Vendor Advisory: https://github.com/volcengine/OpenViking/commit/46b3e76e28b9b3eee73693720c9ec48820228b72
Restart Required: No
Instructions:
1. Update OpenViking to version after commit 46b3e76. 2. If using source, apply the commit that validates ZIP member paths. 3. Rebuild if compiling from source.
🔧 Temporary Workarounds
Disable .ovpack imports
allTemporarily disable the vulnerable import functionality until patching.
# Configure OpenViking to reject .ovpack imports or disable import feature
Run with minimal privileges
linuxRun OpenViking with non-privileged user account to limit damage scope.
sudo -u lowprivuser openviking
🧯 If You Can't Patch
- Restrict .ovpack file sources to trusted locations only
- Implement file integrity monitoring on critical system directories
🔍 How to Verify
Check if Vulnerable:
Check OpenViking version: if 0.2.1 or earlier, vulnerable. Review source code for path validation in ZIP handling.Check Version:
openviking --version or check package managerVerify Fix Applied:
Verify OpenViking version is after commit 46b3e76. Test with known malicious .ovpack file to confirm rejection.📡 Detection & Monitoring
Log Indicators:
- Failed import attempts with unusual file paths
- File write operations outside expected directories
Network Indicators:
- Downloads of .ovpack files from untrusted sources
SIEM Query:
source="openviking" AND (event="import" OR event="write") AND path CONTAINS ".."