PT-2026-22425 · Opendcim · Opendcim

Valentin Lobstein

·

Published

2026-02-27

·

Updated

2026-05-19

·

CVE-2026-28515

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions openDCIM version 23.04 through commit 4467e9c4
Description The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. This allows any authenticated user to access the functionality regardless of their assigned privileges. In deployments where REMOTE USER is set without authentication enforcement, the endpoints "install.php" and "container-install.php" may be accessible without credentials, enabling unauthorized modification of the application configuration.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

RCE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07989
CVE-2026-28515

Affected Products

Opendcim