CVE-2026-29782

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions prior to 2.10.2

Description The oauth2.php file in OpenSTAManager is an unauthenticated endpoint. It loads a record from the zz oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access token field without any class restriction. An attacker who can write to the zz oauth2 table can insert a malicious serialized PHP object that, upon deserialization, executes arbitrary commands on the server as the www-data user. The HTTP response is 500, but the command has already executed during error cleanup. This vulnerability, combined with an arbitrary SQL injection in the Aggiornamenti module, allows for unauthenticated remote code execution (RCE). The Laravel/RCE22 gadget chain is used to achieve this.

Recommendations Versions prior to 2.10.2: Restrict the use of unserialize() by specifying allowed classes to AccessToken::class in the checkTokens() and getAccessToken() functions within src/Models/OAuth2.php. Alternatively, replace serialize()/unserialize() with json encode()/json decode() for storing OAuth2 tokens. As another option, authenticate the oauth2.php endpoint or validate the state parameter.