1. Executive Summary
A critical path traversal vulnerability (CVE-2026-28795, NVD Base Score 9.8) exists in OpenChatBI versions prior to 0.2.2, an LLM-powered business intelligence tool (NVD). The save_report tool insufficiently sanitises the file_format parameter using lstrip("."), which does not prevent traversal sequences such as /../../, allowing an unauthenticated attacker to write arbitrary files outside the intended report directory (GHSA-vmwq-8g8c-jm79). Organisations running affected versions should upgrade to OpenChatBI 0.2.2 immediately (GHSA-vmwq-8g8c-jm79).
2. Risk Rating
| Dimension | Rating | Detail |
|---|---|---|
| Severity | Critical | NVD Base Score 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD) |
| Urgency | Medium | Patch available (0.2.2); no known exploitation in the wild; EPSS 0.063% (FIRST.org EPSS) |
| Scope | Narrow | Affects OpenChatBI deployments specifically (RAXE assessment) |
| Confidence | High | CVE assigned, vendor advisory published, fix commit available (NVD, GHSA-vmwq-8g8c-jm79) |
| Business Impact | High | Arbitrary file write leading to remote code execution on the host system (NVD) |
CVSS Divergence Note
Three severity assessments exist for this vulnerability, with significant disagreements:
| Source | Score | Severity | Version | Vector |
|---|---|---|---|---|
| NVD (primary) | 9.8 | Critical | CVSS v3.1 |
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| GitHub CNA (secondary) | 8.7 | High | CVSS v4.0 |
AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| GHSA advisory page | — | Moderate | — | No vector provided |
(NVD, GHSA-vmwq-8g8c-jm79)
Key disagreement — Integrity impact: NVD assigns I:H (high integrity impact), consistent with the advisory-described file write and code execution scenario (GHSA-vmwq-8g8c-jm79). GitHub's CNA-submitted v4.0 vector assigns VI:N (no integrity impact to the vulnerable system), treating this as a confidentiality-only vulnerability — which appears inconsistent with the advisory's description of arbitrary file overwrite leading to RCE (RAXE assessment).
Severity language policy: This draft uses "critical" when citing the NVD 9.8 score specifically. When describing the vulnerability's impact without reference to a specific score, this draft uses the more conservative framing consistent with the advisory-described attack scenario: path traversal enabling arbitrary file write and potential code execution (GHSA-vmwq-8g8c-jm79). The metadata-level CVSS is recorded as 9.8 (the NVD primary score) because NVD provides a complete, verifiable v3.1 vector, whilst the GHSA advisory page provides no vector to support its "Moderate" classification, and the CNA v4.0 vector appears to undercount the integrity impact.
3. Affected Products
| Product | Affected Versions | Fixed Version | Registry | Status |
|---|---|---|---|---|
| OpenChatBI | <= 0.2.1 | 0.2.2 | PyPI | Patched (GHSA-vmwq-8g8c-jm79) |
Am I Affected?
- Check if your environment uses the
openchatbiPython package - Check installed version:
pip show openchatbi | grep Version - If version is 0.2.1 or earlier, you are affected
4. Abstract
CVE-2026-28795 is a path traversal vulnerability in the save_report tool of OpenChatBI, an LLM-powered business intelligence application (NVD). The vulnerable function constructs output filenames via string concatenation using an unsanitised file_format parameter (GHSA-vmwq-8g8c-jm79). The applied sanitisation — file_format.lstrip(".") — removes only leading dot characters and does not prevent forward slash-based traversal sequences (GHSA-vmwq-8g8c-jm79). Because save_report is an AI agent tool, the attack vector involves manipulating the LLM into invoking the function with a crafted parameter value (GHSA-vmwq-8g8c-jm79). The vulnerability was fixed in version 0.2.2 by introducing a strict allowlist of permitted file formats (fix commit 372a7e8).
5. Key Findings
-
Insufficient sanitisation in AI agent tool: The
save_reporttool inopenchatbi/tool/save_report.pyappliesfile_format.lstrip(".")which removes leading dots but does not prevent path traversal sequences such as/../../(GHSA-vmwq-8g8c-jm79). -
Unauthenticated remote exploitation: The NVD CVSS vector indicates no authentication is required (
PR:N), no user interaction is needed (UI:N), and attack complexity is low (AC:L) (NVD). -
File write to code execution: An attacker can overwrite critical application files such as
__init__.py, achieving code execution when the module is next imported (GHSA-vmwq-8g8c-jm79). -
AI agent tool as attack surface: The vulnerability is exploited through the LLM's tool-calling interface, representing a class of attacks where AI agent tools become the primary attack vector (RAXE assessment).
6. Attack Flow
Attacker OpenChatBI Filesystem
| | |
| 1. Submit crafted query | |
| (manipulate LLM to call | |
| save_report with | |
| traversal payload) | |
|--------------------------->| |
| | |
| 2. LLM invokes save_report() |
| file_format = "/../../../app/__init__" |
| | |
| 3. lstrip(".") applied |
| "/../../../app/__init__" unchanged |
| | |
| 4. Filename constructed: |
| "{timestamp}_{title}.{file_format}" |
| | |
| | 5. File written to |
| | traversed path |
| |----------------------------->|
| | |
| | 6. __init__.py overwritten |
| | → RCE on next import |
| | |
Attack flow reconstructed from the vulnerability description in GHSA-vmwq-8g8c-jm79. The advisory confirms arbitrary file write capability leading to potential code execution; the specific __init__.py overwrite and import-triggered RCE chain is an example exploitation scenario (RAXE assessment).
7. Technical Details
Vulnerable Code
The save_report tool in openchatbi/tool/save_report.py accepts a file_format parameter described as a file extension (fix commit 372a7e8):
file_format: str = Field(
description="The file format/extension (e.g., 'md', 'csv', 'txt', 'json')"
)
The code applies minimal sanitisation (fix commit 372a7e8):
file_format = file_format.lstrip(".")
Output filenames are constructed via string concatenation (GHSA-vmwq-8g8c-jm79):
f"{timestamp}_{clean_title}.{file_format}"
Sanitisation Failure
The lstrip(".") method only removes leading dot characters from the string. It does not sanitise:
- Forward slash sequences (/../../)
- Backslash sequences on Windows (\..\..\)
- Null byte injection (%00)
A file_format value such as /../../../app/openchatbi/__init__ passes the lstrip(".") check unchanged, causing the constructed file path to escape the intended report output directory (GHSA-vmwq-8g8c-jm79).
Fix Analysis
Version 0.2.2 replaces the open-ended string acceptance with a strict allowlist (fix commit 372a7e8):
allowed_formats = {'md', 'csv', 'txt', 'json', 'html', 'xml'}
if file_format not in allowed_formats:
raise ValueError(f"Unsupported file format: {file_format}")
This remediates the vulnerability by rejecting any file_format value not in the predefined set of six permitted formats (fix commit 372a7e8).
Weakness Classification
The NVD classifies this vulnerability as CWE-22: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" (NVD).
8. Confidence & Validation
Assessment Confidence: High
| Aspect | Status | Detail |
|---|---|---|
| Vendor Advisory | Published | GHSA-vmwq-8g8c-jm79 (GHSA) |
| CVE Assigned | Yes | CVE-2026-28795, published 2026-03-06 (NVD) |
| PoC Available | No | No public proof-of-concept at time of writing (GHSA-vmwq-8g8c-jm79) |
| Patch Available | Yes | Fixed in OpenChatBI 0.2.2, fix commit 372a7e8 (GHSA-vmwq-8g8c-jm79) |
| Exploited in Wild | No evidence | No CISA KEV listing; EPSS 0.063% / 19.31st percentile (FIRST.org EPSS) |
9. Detection Signatures
Detection Limitations
- No known exploit artefacts exist — these rules detect suspicious patterns consistent with the advisory-described attack, not known-bad IOCs (GHSA-vmwq-8g8c-jm79)
- Rule 1 requires application-level logging of
save_reporttool invocations with parameter values. Most OpenChatBI deployments may not log at this level by default (RAXE assessment) - Rule 2 requires file integrity monitoring (FIM) or audit logging on the report output directory (RAXE assessment)
- Rule 3 only fires on patched systems (>= 0.2.2) and indicates a blocked exploitation attempt (RAXE assessment)
Rule 1: Path Traversal in save_report Tool Invocation
Classification: Delivery telemetry
title: OpenChatBI save_report Path Traversal Attempt
id: raxe-2026-028-r1
status: experimental
description: >
Detects path traversal sequences in the file_format parameter of OpenChatBI's
save_report tool. Versions <= 0.2.1 apply only lstrip(".") sanitisation, which
does not prevent traversal sequences (GHSA-vmwq-8g8c-jm79).
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-28795
- https://github.com/zhongyu09/openchatbi/security/advisories/GHSA-vmwq-8g8c-jm79
author: RAXE Labs
date: 2026-03-10
tags:
- attack.initial_access
- cve.2026.28795
- cwe.22
logsource:
category: application
product: openchatbi
detection:
selection:
tool_name: 'save_report'
traversal_indicators:
file_format|contains:
- '../'
- '..\\'
- '/../'
- '\\..\\'
condition: selection and traversal_indicators
falsepositives:
- Legitimate file_format values do not contain path separators. The allowlist
in version 0.2.2 restricts to md, csv, txt, json, html, xml (fix commit
372a7e8). Any file_format containing "/" or ".." is anomalous.
level: medium
Rule 2: File Write Outside Report Directory
Classification: Post-exploitation hunting
title: OpenChatBI Process Writing Files Outside Report Directory
id: raxe-2026-028-r2
status: experimental
description: >
Detects the OpenChatBI application process writing files outside its expected
report output directory. Successful exploitation of CVE-2026-28795 causes
the save_report tool to write files to arbitrary locations (GHSA-vmwq-8g8c-jm79).
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-28795
- https://github.com/zhongyu09/openchatbi/security/advisories/GHSA-vmwq-8g8c-jm79
author: RAXE Labs
date: 2026-03-10
tags:
- attack.impact
- attack.t1565.001
- cve.2026.28795
- cwe.22
logsource:
category: file_event
product: linux
detection:
selection_process:
Image|endswith:
- '/python3'
- '/python'
selection_cmdline:
CommandLine|contains: 'openchatbi'
filter_expected_dirs:
TargetFilename|contains:
- '/reports/'
- '/output/'
condition: selection_process and selection_cmdline and not filter_expected_dirs
falsepositives:
- OpenChatBI may write files to other legitimate directories (logs, cache,
temporary files) depending on deployment configuration. The expected report
output directory path must be configured per deployment (RAXE assessment).
level: high
Rule 3: Unsupported Format Rejection (Patched Systems)
Classification: Hunting rule (patched systems only)
title: OpenChatBI save_report Unsupported Format Rejection
id: raxe-2026-028-r3
status: experimental
description: >
Detects the ValueError raised by OpenChatBI >= 0.2.2 when a save_report
invocation includes a file_format value outside the allowlist. On patched
systems, this indicates a blocked exploitation attempt (fix commit 372a7e8).
references:
- https://nvd.nist.gov/vuln/detail/CVE-2026-28795
- https://github.com/zhongyu09/openchatbi/commit/372a7e861da5159c3106d64d6f6edf8284db8c75
author: RAXE Labs
date: 2026-03-10
tags:
- attack.initial_access
- cve.2026.28795
logsource:
category: application
product: openchatbi
detection:
selection:
EventType: 'error'
keywords:
Message|contains: 'Unsupported file format'
condition: selection and keywords
falsepositives:
- Legitimate users requesting an unsupported export format (e.g., "save as PDF")
would also trigger this rule. Correlate with the file_format value in the
error message to distinguish benign requests from traversal attempts
(RAXE assessment).
level: medium
Severity Cross-Check
| Rule | Classification | Level | Rationale |
|---|---|---|---|
| R1 — save_report traversal | Delivery telemetry | medium |
Detects request pattern, not known exploitation |
| R2 — file write outside dir | Post-exploitation hunting | high |
Detects post-exploitation file system behaviour |
| R3 — format rejection | Hunting rule | medium |
Detects blocked attempt on patched systems |
10. Detection & Mitigation
Immediate Actions
Priority 1 — Patch
Upgrade OpenChatBI to version 0.2.2 or later (GHSA-vmwq-8g8c-jm79). The fix is available via PyPI (pip install openchatbi>=0.2.2) and the project's GitHub repository (PR #12).
Priority 2 — Mitigate (if patching is delayed)
- Restrict file system write permissions for the OpenChatBI application process to the designated report output directory only (RAXE assessment)
- Deploy the application in a containerised environment with a read-only root filesystem, allowing writes only to the report output volume (RAXE assessment)
- Monitor save_report tool invocations for file_format values containing path traversal sequences (../, /../../) (RAXE assessment)
Detection Guidance
- Enable application-level logging of LLM tool invocations, including parameter values, to support Rule 1 (RAXE assessment)
- Deploy file integrity monitoring (FIM) on the report output directory and critical application directories (e.g.,
openchatbi/) to support Rule 2 (RAXE assessment) - Monitor application error logs for
ValueError: Unsupported file formatmessages on patched systems to identify blocked exploitation attempts (Rule 3) (RAXE assessment)
11. Indicators of Compromise
| Type | Indicator | Context |
|---|---|---|
| Behavioural | file_format parameter containing ../ or /../../ sequences |
Delivery indicator — path traversal in save_report tool invocation (GHSA-vmwq-8g8c-jm79) |
| File system | File creation outside the expected report output directory by the OpenChatBI process | Post-exploitation indicator — successful traversal exploitation (RAXE assessment) |
| Application log | ValueError: Unsupported file format in OpenChatBI >= 0.2.2 |
Blocked exploitation attempt on patched systems (RAXE assessment) |
Note: No known exploit artefacts (hashes, IP addresses, domain names) are associated with this vulnerability at time of writing. The indicators above are behavioural patterns consistent with the advisory-described attack mechanism (RAXE assessment).
12. Strategic Context
CVE-2026-28795 represents a growing pattern of vulnerabilities in AI agent tooling, where the attack surface has shifted from traditional web endpoints to the tool-calling interfaces used by large language models (RAXE assessment). The save_report function is an AI agent tool — a function that the LLM invokes on behalf of the user — and the vulnerability is exploited by manipulating the LLM into passing a malicious parameter value (GHSA-vmwq-8g8c-jm79).
This pattern is consistent with MITRE ATLAS technique AML.T0053 (AI Agent Tool Invocation) and has been observed in other RAXE findings involving MCP server vulnerabilities and agent tool exploitation (RAXE assessment). As LLM-powered applications increasingly integrate tool-calling capabilities, the security of these tool interfaces becomes a critical consideration for organisations deploying AI-assisted workflows (RAXE assessment).
The significant divergence between three independent severity assessments — NVD Critical (9.8), GitHub CNA High (8.7 v4.0), and GHSA Moderate — highlights the challenge of consistent vulnerability scoring in the AI application ecosystem, where the interaction between the LLM and its tools creates novel attack paths that may not be fully captured by traditional scoring methodologies (RAXE assessment).
13. References
CVE-2026-28795— NVD Entry (NVD)- GHSA-vmwq-8g8c-jm79 — Path Traversal in OpenChatBI save_report (GHSA)
- Fix Commit 372a7e8 (GitHub)
- Issue #10 — Vulnerability Report (GitHub)
- PR #12 — Patch (GitHub)
- EPSS Score for
CVE-2026-28795(FIRST.org EPSS) - MITRE ATLAS:
AML.T0053— AI Agent Tool Invocation (MITRE ATLAS)