Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionNVD
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD includes the optional Job Performance (SUPReMM) module, an attacker could bypass intended data access restrictions and view other users' compute job efficiency metrics. All deployments of Open XDMoD prior to version 11.0.3 that contain the optional Job Performance (SUPReMM) module are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
AnalysisAI
Session variable manipulation in Open XDMoD prior to version 11.0.3 enables low-privileged authenticated remote attackers to bypass access control logic by submitting a crafted HTTPS POST request that overrides a session variable governing authorization decisions. Exploitation is contingent on the optional Job Performance (SUPReMM) module being installed; without it, the vulnerable code path is not reachable. No public exploit code exists and no active exploitation has been identified at time of analysis; the vendor released a fix in v11.0.3 on 2026-05-12 following private disclosure on 2026-04-06.
Technical ContextAI
Open XDMoD (CPE: cpe:2.3:a:ubccr:xdmod:*:*:*:*:*:*:*:*, all versions prior to 11.0.3) is an open-source HPC metrics analytics framework by UBCCR. The root cause is CWE-284 (Improper Access Control): the application's authorization logic relies on a server-side session variable whose value can be externally influenced by including attacker-supplied data in an HTTPS POST request body. When the optional Job Performance module (SUPReMM) is active, this session variable is evaluated to gate access to per-user compute job efficiency metrics, meaning an attacker who controls its value can impersonate or access data scoped to other user accounts. This is a classic trust-boundary failure where client-influenced state is used for a privileged server-side decision without adequate validation.
RemediationAI
Upgrade to Open XDMoD version 11.0.3 (released 2026-05-12, tagged v11.0.3-2 at https://github.com/ubccr/xdmod/releases/tag/v11.0.3-2), which patches this vulnerability alongside two other moderate-to-high severity issues. For deployments unable to upgrade immediately, the vendor provides a standalone patch file at https://open.xdmod.org/security_patches/GHSA-3hfh-m242-8rmh-0_0_0-11_0_2.patch that can be applied manually; this is the only documented workaround and introduces no noted side effects. As an additional compensating control, restricting access to the Job Performance (SUPReMM) module to trusted users or disabling it until patching is feasible would eliminate the vulnerable code path entirely, though this trades off legitimate user access to job efficiency data.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34898