PT-2026-22425 · Opendcim · Opendcim
Valentin Lobstein
·
Published
2026-02-27
·
Updated
2026-05-19
·
CVE-2026-28515
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
openDCIM version 23.04 through commit 4467e9c4
Description
The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. This allows any authenticated user to access the functionality regardless of their assigned privileges. In deployments where
REMOTE USER is set without authentication enforcement, the endpoints "install.php" and "container-install.php" may be accessible without credentials, enabling unauthorized modification of the application configuration.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
RCE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Opendcim