CVE-2026-28515
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
Analysis
OpenDCIM through version 23.04 fails to enforce authorization checks in its installation and upgrade handlers, allowing any authenticated user to modify LDAP configuration settings regardless of their assigned roles. Public exploit code exists for this vulnerability, and in deployments where REMOTE_USER authentication is not enforced, unauthenticated attackers may also access these administrative functions. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all openDCIM instances running version 23.04 and assess network exposure of install.php and container-install.php endpoints. Within 7 days: Apply available vendor patch to all affected systems and verify successful deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today