Description
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or validating data origin. While the intended deployment assumes only trusted internal components enqueue Gearman jobs, this trust boundary is not enforced in application code. In environments where the Gearman service or worker is exposed to untrusted systems, an attacker may submit crafted serialized payloads to trigger PHP Object Injection in the worker process. This vulnerability is exploitable when Gearman listens on non-local interfaces, network access to TCP/4730 is unrestricted, or untrusted systems can enqueue jobs. Default, correctly hardened deployments may not be immediately exploitable, but the unsafe sink remains present in code regardless of deployment configuration. Enforcing this trust boundary in code would significantly reduce risk and prevent exploitation in misconfigured environments. This issue has been fixed in version 5.4.0.
Published: 2026-02-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An unsafe deserialization sink in the openITCOCKPIT Gearman worker allows an attacker to craft serialized PHP objects that are unserialized without validation, which can lead to PHP Object Injection and ultimately Remote Code Execution within the worker process. This flaw is the type CWE-502, and it can compromise confidentiality, integrity, and availability of the system by allowing the attacker to execute arbitrary code on the host running the worker.

Affected Systems

The vulnerability affects openITCOCKPIT software, versions 5.3.1 and earlier. The affected component is the Gearman worker function registered as oitc_gearman, and the issue remains in code regardless of deployment configuration until the upgrade to 5.4.0 or later.

Risk and Exploitability

The CVSS score is 7.5 with an EPSS score of less than 1%, and it is not listed in CISA’s KEV catalog. Exploitation is feasible when Gearman is accessible on non‑local interfaces or when TCP port 4730 is open to untrusted systems. The likely attack vector is via network access to the Gearman service, which would allow an attacker to submit a malicious payload and trigger the object injection. The risk is moderate to high for environments with misconfigured or exposed Gearman services.

Generated by OpenCVE AI on April 17, 2026 at 17:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade openITCOCKPIT to 5.4.0 or later, where the unsafe deserialization sink has been removed.
  • Configure the Gearman listener to bind only to localhost or a trusted internal interface and close TCP/4730 to external hosts.
  • If an upgrade cannot be performed immediately, consider disabling the Gearman worker or placing it behind a firewall that permits only trusted internal services to enqueue jobs.

Generated by OpenCVE AI on April 17, 2026 at 17:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared It-novum
It-novum openitcockpit
CPEs cpe:2.3:a:it-novum:openitcockpit:*:*:*:*:*:*:*:*
Vendors & Products It-novum
It-novum openitcockpit

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Openitcockpit
Openitcockpit openitcockpit
Vendors & Products Openitcockpit
Openitcockpit openitcockpit

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
Description openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or validating data origin. While the intended deployment assumes only trusted internal components enqueue Gearman jobs, this trust boundary is not enforced in application code. In environments where the Gearman service or worker is exposed to untrusted systems, an attacker may submit crafted serialized payloads to trigger PHP Object Injection in the worker process. This vulnerability is exploitable when Gearman listens on non-local interfaces, network access to TCP/4730 is unrestricted, or untrusted systems can enqueue jobs. Default, correctly hardened deployments may not be immediately exploitable, but the unsafe sink remains present in code regardless of deployment configuration. Enforcing this trust boundary in code would significantly reduce risk and prevent exploitation in misconfigured environments. This issue has been fixed in version 5.4.0.
Title openITCOCKPIT has Unsafe PHP Deserialization in Gearman Worker Allowing Conditional Object Injection
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

It-novum Openitcockpit
Openitcockpit Openitcockpit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T18:42:14.577Z

Reserved: 2026-01-27T19:35:20.528Z

Link: CVE-2026-24891

cve-icon Vulnrichment

Updated: 2026-02-20T18:41:56.123Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T18:25:51.143

Modified: 2026-02-24T19:22:32.653

Link: CVE-2026-24891

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses