Xdmod
Monthly
Session variable manipulation in Open XDMoD prior to version 11.0.3 enables low-privileged authenticated remote attackers to bypass access control logic by submitting a crafted HTTPS POST request that overrides a session variable governing authorization decisions. Exploitation is contingent on the optional Job Performance (SUPReMM) module being installed; without it, the vulnerable code path is not reachable. No public exploit code exists and no active exploitation has been identified at time of analysis; the vendor released a fix in v11.0.3 on 2026-05-12 following private disclosure on 2026-04-06.
Session variable manipulation in Open XDMoD prior to version 11.0.3 enables low-privileged authenticated remote attackers to bypass access control logic by submitting a crafted HTTPS POST request that overrides a session variable governing authorization decisions. Exploitation is contingent on the optional Job Performance (SUPReMM) module being installed; without it, the vulnerable code path is not reachable. No public exploit code exists and no active exploitation has been identified at time of analysis; the vendor released a fix in v11.0.3 on 2026-05-12 following private disclosure on 2026-04-06.