Description
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).
Published: 2026-03-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution via Authenticated Local File Inclusion
Action: Immediate Patch
AI Analysis

Impact

LDAP Account Manager contains a local file inclusion flaw in its PDF export that allows authenticated users to load arbitrary local PHP files, leading to code execution. In combination with a related GHSA advisory, the flaw permits arbitrary code execution on the server. The vulnerability requires an authenticated LAM session and threatens the confidentiality, integrity, and availability of the hosting system.

Affected Systems

LDAPAccountManager’s LAM web frontend is affected. All releases prior to version 9.5 are vulnerable, and users running these older versions should upgrade. The product handles LDAP entries and DHCP settings via a web interface.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while an EPSS score below 1% suggests low current exploitation probability; the vulnerability is not listed in CISA's KEV catalog. The flaw requires authentication, so the attack vector is local from an authenticated user through the PDF export feature, allowing remote code execution on the server.

Generated by OpenCVE AI on March 23, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LDAP Account Manager to version 9.5 or later.
  • If an immediate upgrade is not possible, make the directory /var/lib/ldap-account-manager/config read‑only for the web‑server user.
  • Delete any existing PDF profile files to disable PDF exports until the upgrade is performed.

Generated by OpenCVE AI on March 23, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Ldap-account-manager
Ldap-account-manager ldap Account Manager
CPEs cpe:2.3:a:ldap-account-manager:ldap_account_manager:*:*:*:*:*:*:*:*
Vendors & Products Ldap-account-manager
Ldap-account-manager ldap Account Manager

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ldapaccountmanager
Ldapaccountmanager lam
Vendors & Products Ldapaccountmanager
Ldapaccountmanager lam

Wed, 18 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Alhtough upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible). LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).

Wed, 18 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Alhtough upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).
Title LAM has Authenticated Local File Inclusion (LFI) in PDF export
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ldap-account-manager Ldap Account Manager
Ldapaccountmanager Lam
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:54:13.831Z

Reserved: 2026-02-24T15:19:29.717Z

Link: CVE-2026-27894

cve-icon Vulnrichment

Updated: 2026-03-18T19:54:05.503Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T00:16:19.607

Modified: 2026-03-23T18:03:22.703

Link: CVE-2026-27894

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:17Z

Weaknesses