{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27189", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-18T19:47:02.153Z", "datePublished": "2026-02-21T00:01:46.960Z", "dateUpdated": "2026-02-25T21:25:52.502Z"}, "containers": {"cna": {"title": "OpenSift: Race-prone local persistence could cause state corruption/loss", "problemTypes": [{"descriptions": [{"cweId": "CWE-367", "lang": "en", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3pmp-j953-whxq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3pmp-j953-whxq"}, {"name": "https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha", "tags": ["x_refsource_MISC"], "url": "https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha"}], "affected": [{"vendor": "OpenSift", "product": "OpenSift", "versions": [{"version": "< 1.1.3-alpha", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T00:01:46.960Z"}, "descriptions": [{"lang": "en", "value": "OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below, use non-atomic and insufficiently synchronized local JSON persistence flows, potentially causing concurrent operations to lose updates or corrupt local state across sessions/study/quiz/flashcard/wellness/auth stores. This issue has been fixed in version 1.1.3-alpha."}], "source": {"advisory": "GHSA-3pmp-j953-whxq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:25:43.072602Z", "id": "CVE-2026-27189", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:25:52.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27189", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T21:25:43.072602Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:25:47.592Z"}}], "cna": {"title": "OpenSift: Race-prone local persistence could cause state corruption/loss", "source": {"advisory": "GHSA-3pmp-j953-whxq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.6, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "OpenSift", "product": "OpenSift", "versions": [{"status": "affected", "version": "< 1.1.3-alpha"}]}], "references": [{"url": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3pmp-j953-whxq", "name": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3pmp-j953-whxq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha", "name": "https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below, use non-atomic and insufficiently synchronized local JSON persistence flows, potentially causing concurrent operations to lose updates or corrupt local state across sessions/study/quiz/flashcard/wellness/auth stores. This issue has been fixed in version 1.1.3-alpha."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-21T00:01:46.960Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27189", "state": "PUBLISHED", "dateUpdated": "2026-02-25T21:25:52.502Z", "dateReserved": "2026-02-18T19:47:02.153Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-21T00:01:46.960Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:opensift:opensift:*:*:*:*:*:python:*:*", "matchCriteriaId": "319EE5EC-3784-4572-A7A3-DFE3BC789A64", "versionEndExcluding": "1.1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSift is an AI study tool that sifts through large datasets using semantic search and generative AI. Versions 1.1.2-alpha and below, use non-atomic and insufficiently synchronized local JSON persistence flows, potentially causing concurrent operations to lose updates or corrupt local state across sessions/study/quiz/flashcard/wellness/auth stores. This issue has been fixed in version 1.1.3-alpha."}], "id": "CVE-2026-27189", "lastModified": "2026-02-23T20:48:59.453", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 4.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-02-21T00:16:17.140", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/OpenSift/OpenSift/releases/tag/v1.1.3-alpha"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/OpenSift/OpenSift/security/advisories/GHSA-3pmp-j953-whxq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-367"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.1.3-alpha)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "opensift", "vendor": "opensift"}], "analysis": {"en": {"generated_at": "2026-04-17T16:57:16.542601+00:00", "value": {"mitigation_remediation": ["Upgrade OpenSift to version 1.1.3-alpha or later to apply the vendor\u2011provided fix.", "If an upgrade is not immediately possible, ensure that only one process or thread accesses the local JSON persistence at a time by implementing application\u2011level locks or disabling concurrent operations during critical edits.", "As a temporary workaround, manually back up the local state before performing intensive operations and restore if corruption is detected; consider moving critical data to a more robust storage mechanism such as a local database that supports atomic transactions."], "summary": {"action": "Apply Patch", "impact": "Data Integrity (State Corruption)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OpenSift AI study tool, specifically versions 1.1.2\u2011alpha and earlier. Updated builds beginning with 1.1.3\u2011alpha contain the fix and are not affected.", "description_and_impact": "OpenSift\u2019s local JSON persistence was designed without atomic operations or adequate synchronization, creating a race condition that can cause concurrent read/write operations to overwrite or lose data. The result is loss or corruption of user state across study, quiz, flashcard, wellness, or authentication stores, potentially erasing progress or changing quiz outcomes. The weakness aligns with CWE\u2011362 (Concurrent Execution with Shared Resource) and CWE\u2011367 (Deadlock or Resource Starvation).", "risk_and_exploitability": "The CVSS score of 6.6 indicates a moderate severity, with an EPSS score below 1% suggesting a low probability of exploitation. The issue is not listed in the CISA KEV catalog. The likely attack scenario is local or co\u2011located users performing parallel operations that trigger the race condition; non\u2011remote exploitation. No public exploit is documented. The impact is limited to data integrity rather than remote code execution or privilege escalation."}}}}, "created": "2026-02-23T14:32:56.297896+00:00", "updated": "2026-04-17T17:00:10.201319+00:00", "vendors": ["opensift", "opensift$PRODUCT$opensift"]}