CVE-2026-27894

Name of the Vulnerable Software and Affected Versions LDAP Account Manager versions prior to 9.5

Description LDAP Account Manager (LAM) is a web interface used to manage entries in an LDAP directory, such as users, groups, and DHCP settings. A local file inclusion issue was identified in the PDF export functionality in versions prior to 9.5. This allows users to include local PHP files and execute code. Exploitation requires a user to be logged into LAM. Combining this with another issue allows for arbitrary code execution.

Recommendations Versions prior to 9.5 should be upgraded to version 9.5. As a workaround, make the /var/lib/ldap-account-manager/config directory read-only for the web server user. Delete the PDF profile files to disable PDF exports.