CVE-2026-28515

27.02.2026, 23:16

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-862 - Missing Authorization
The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

References

https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/

https://github.com/Chocapikk/opendcim-exploit

https://github.com/opendcim/openDCIM/blob/4467e9c4/container-install.php#L421-L435

https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L293

https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434

https://github.com/opendcim/openDCIM/pull/1664

https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09

https://www.vulncheck.com/advisories/opendcim-missing-authorization-in-install-php