A vulnerability chain was discovered in the open-source tool openDCIM (CVE-2026-28515, CVE-2026-28516 and CVE-2026-28517), allowing an attacker to achieve Remote Code Execution (RCE) on the server. The vulnerabilities are rated 9.3 on the CVSS v4.0 scale.

The root causes include missing authorization checks in install.php, an SQL injection flaw in configuration parameter updates, and unsafe command handling within the exec() function via the dot field. As a result, arbitrary commands can be injected via HTTP requests and executed with www-data privileges. In Docker-based deployments, the entire process can be exploited without authentication.

📎 Article: https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/

🛠 Tool: https://github.com/Chocapikk/opendcim-exploit

💬 Discuss

openDCIM: from SQL Injection to RCE via config poisoning