Skip to main content

PHP CVE-2026-27823

CRITICAL
Path Traversal (CWE-22)
2026-07-07 https://github.com/EGroupware/egroupware GHSA-h9qx-v5xp-ph8p
Share

Lifecycle Timeline

1
Analysis Generated
Jul 07, 2026 - 13:32 vuln.today

DescriptionCVE.org

Summary

A critical vulnerability has been identified in EGroupware that may lead to Remote Code Execution (RCE). The issue allows an authenticated attacker to execute arbitrary commands on the server. If user self-registration is enabled, the vulnerability may be exploitable without prior authentication.

The vulnerability stems from improper authorization checks combined with a file write primitive and an arbitrary file read vulnerability, which together enable full system compromise.

Details

1. Improper Authorization in SmallPartMediaRecorder::ajax_upload()

The vulnerability originates in:

EGroupware\SmallParT\Widgets\SmallPartMediaRecorder::ajax_upload()

The function attempts to verify whether the current user is a teacher of the specified course ID before allowing a file upload.

The critical authorization check ensures that the course access control list (ACL) contains:

$required_acl (self::ROLE_TEACHER, i.e., 3)

However, the course_acl value is derived from user-controlled request data.

_Bypass Technique_

A crafted request can manipulate the participant_role value inside the request body:

json
{
  "video": {
    "course_id": {
      "participants": [
        {
          "account_id": "7",
          "name": "Test",
          "joined_at": "2026-01-10",
          "participant_role": 3
        }
      ],
      "account_id": "7",
      "course_id": "1"
    },
    "video_hash": ".",
    "video_type": "file_here"
  }
}

Because the course ACL is taken from participant_role, setting it to 3 allows bypassing the isTeacher check.

2. Arbitrary File Write

After bypassing authorization, the function uploads the provided file into a controllable file path.

The file path is derived from the video_type (or video_path) value, enabling path traversal.

Due to file permission restrictions (server running as www-data), writable targets are limited. One viable target is ./header.inc.php

3. Constraints

Writing a simple PHP webshell may not immediately execute due to OPcache.

An invalid header.inc.php file will break the system and prevent the server from running.

Therefore, a valid file structure must be preserved.

4. Arbitrary File Read

A second vulnerability allows arbitrary file read via:

/egroupware/index.php?menuaction=importexport.importexport_export_ui.download&_filename=../../../usr/share/egroupware/header.inc.php&_suffix=txt&_type=text/plain&filename=leak

The issue resides in:

importexport_export_ui::download

The _filename parameter is user-controlled and used to read arbitrary files.

This allows retrieving the original header.inc.php content.

5. Achieving Remote Code Execution

By combining: Arbitrary file read (to retrieve valid header.inc.php); Arbitrary file write (to overwrite it with modified content), an attacker can inject controlled PHP code while preserving file validity.

This results in Remote Code Execution after server restart, or OPcache expiration. An alternative impact includes modifying the admin setup password to gain full system control.

Impact

Remote Code Execution Full system compromise Arbitrary file read Arbitrary file write Potential complete takeover of EGroupware instance

Reported by

This finding was discovered by Huong Kieu of Cenobe Security (https://cenobe.com/)

AnalysisAI

Remote code execution in EGroupware lets an attacker chain a broken authorization check with an arbitrary file write and an arbitrary file read to fully compromise the server. An authenticated user can forge the participant_role field in a SmallPartMediaRecorder::ajax_upload() request to impersonate a course teacher, then use path traversal to read and overwrite header.inc.php with valid but attacker-controlled PHP, yielding code execution after OPcache refresh or a setup-password change. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Disable self-registration feature; restrict EGroupware administrative interfaces (setup.php, /setup/) and upload handlers to trusted networks via firewall or WAF. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-27823 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy