CVE-2026-27012

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions 2.9.8 and earlier

Description OpenSTAManager is a management software for technical assistance and invoicing. A privilege escalation and authentication bypass exists in versions 2.9.8 and earlier, allowing an attacker to arbitrarily change a user's group (idgruppo) by directly calling the modules/utenti/actions.php endpoint. This can promote an existing account, such as an agent, to the Amministratori group, or demote any user, including existing administrators.

Recommendations Versions prior to 2.9.8 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.