CVE-2026-24891

Name of the Vulnerable Software and Affected Versions openITCOCKPIT versions 5.3.1 and below

Description openITCOCKPIT, an open source monitoring tool, has an unsafe deserialization issue in the Gearman worker implementation. The oitc gearman function uses PHP’s unserialize() on job payloads without proper restrictions or validation. This allows an attacker to potentially trigger PHP Object Injection if they can submit crafted serialized payloads to the Gearman service, especially when Gearman listens on non-local interfaces or network access to TCP/4730 is unrestricted. The issue persists regardless of deployment configuration, as the trust boundary is not enforced in the application code.

Recommendations Upgrade to version 5.4.0 or later.