Description
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of changelog entries. Serialized changelog data derived from attacker-influenced application state is unserialized without restricting allowed classes. Although no current application endpoint was found to introduce PHP objects into this data path, the presence of an unrestricted unserialize() call constitutes a latent PHP object injection vulnerability. If future code changes, plugins, or refactors introduce object values into this path, the vulnerability could become immediately exploitable with severe impact, including potential remote code execution.
Published: 2026-02-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential Remote Code Execution
Action: Apply Patch
AI Analysis

Impact

openITCOCKPIT is an open source monitoring tool that, in Community Edition 5.3.1 and earlier, uses PHP unserialize() to process changelog entries without restricting the classes that can be deserialized. The code accepts serialized data that could, in theory, be derived from attacker‑influenced application state. This creates a latent PHP object injection vulnerability: if an attacker supplies crafted serialized data, malicious PHP objects could be instantiated, potentially leading to remote code execution. No public endpoint currently injects objects into this data path, so the flaw is not immediately exploitable.

Affected Systems

Affected users are those running openITCOCKPIT Community Edition 5.3.1 or earlier. The vulnerability was addressed in later releases, specifically the 5.4.0 release, as indicated by the project’s release notes and commit reference. The impact applies to the openITCOCKPIT product from the vendor openITCOCKPIT.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity, but the EPSS score of less than 1% indicates a low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. If future code modifications, plugins, or refactors introduce PHP objects into the changelog data path, the flaw could become immediately exploitable with severe impact. The inferred attack vector is the deserialization of attacker‑controlled input into the changelog handling routine.

Generated by OpenCVE AI on April 17, 2026 at 17:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to openITCOCKPIT 5.4.0 or later, which eliminates the unrestricted unserialize() call.
  • If an upgrade is not yet possible, temporarily disable or delete automated changelog processing to remove the insecure deserialization path.
  • Monitor for plugins or future code changes that introduce unserialized objects into the changelog data path and apply security reviews or implement class restrictions to prevent object injection.

Generated by OpenCVE AI on April 17, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared It-novum
It-novum openitcockpit
CPEs cpe:2.3:a:it-novum:openitcockpit:*:*:*:*:*:*:*:*
Vendors & Products It-novum
It-novum openitcockpit

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Openitcockpit
Openitcockpit openitcockpit
Vendors & Products Openitcockpit
Openitcockpit openitcockpit

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of changelog entries. Serialized changelog data derived from attacker-influenced application state is unserialized without restricting allowed classes. Although no current application endpoint was found to introduce PHP objects into this data path, the presence of an unrestricted unserialize() call constitutes a latent PHP object injection vulnerability. If future code changes, plugins, or refactors introduce object values into this path, the vulnerability could become immediately exploitable with severe impact, including potential remote code execution.
Title openITCOCKPIT has Unsafe Deserialization in openITCOCKPIT Changelog Handling
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

It-novum Openitcockpit
Openitcockpit Openitcockpit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:33:48.132Z

Reserved: 2026-01-27T19:35:20.529Z

Link: CVE-2026-24892

cve-icon Vulnrichment

Updated: 2026-02-25T21:33:41.768Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-20T21:19:27.310

Modified: 2026-03-02T14:56:48.257

Link: CVE-2026-24892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses