CVE-2026-28515

Name of the Vulnerable Software and Affected Versions openDCIM versions 23.04 through commit 4467e9c4

Description The software contains a missing authorization issue in the install.php and container-install.php files. The installer and upgrade handler expose LDAP configuration functionality without proper application role checks. Any authenticated user can access this functionality, regardless of assigned privileges. If the REMOTE USER variable is set without authentication enforcement, the endpoint may be accessible without credentials, allowing unauthorized modification of application configuration.

Recommendations Apply updates to versions beyond commit 4467e9c4. Ensure proper authentication enforcement is in place when using the REMOTE USER variable. Restrict access to the install.php and container-install.php files to authorized personnel only.