Description
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.
Published: 2026-03-17
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability resides in the PDF export component of LDAP Account Manager, where an incorrect regular‑expression check fails to validate uploaded file extensions. This oversight enables an attacker to upload arbitrary files, including executable PHP scripts, to the server. By doing so, the attacker can gain code execution privileges on the system as the user account under which the web server is running.

Affected Systems

Organizations deploying LDAP Account Manager versions earlier than 9.5 are affected. The flaw applies to the web‑frontend component that handles PDF export uploads in those releases. Any installation of the LDAP Account Manager package on operating systems that run a web server will have the same exposure.

Risk and Exploitability

The CVSS score for this issue is 4.3, indicating a low severity rating, while the EPSS probability is below 1%, suggesting that the flaw is unlikely to be widely exploited at present. Nonetheless, the vulnerability permits remote code execution, which could lead to full system compromise if the web server operates with elevated privileges. No known exploits are listed in the CISA KEV catalog, and exploitation would likely require access to the web interface to upload a malicious file. Once uploaded, the script would execute with the web server’s user permissions.

Generated by OpenCVE AI on March 23, 2026 at 19:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LDAP Account Manager to version 9.5 or later
  • If a patch is unavailable, change the permissions on /var/lib/ldap-account-manager/config to make it read‑only for the web‑server user, thereby preventing file uploads that could contain executable code
  • Verify that the latest security updates are applied and monitor vendor advisories for future fixes

Generated by OpenCVE AI on March 23, 2026 at 19:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Ldap-account-manager
Ldap-account-manager ldap Account Manager
CPEs cpe:2.3:a:ldap-account-manager:ldap_account_manager:*:*:*:*:*:*:*:*
Vendors & Products Ldap-account-manager
Ldap-account-manager ldap Account Manager

Wed, 18 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ldapaccountmanager
Ldapaccountmanager lam
Vendors & Products Ldapaccountmanager
Ldapaccountmanager lam

Wed, 18 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.
Title LAM has incorrect regular expression in PDF export component that allows user to upload files of any type
Weaknesses CWE-185
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Ldap-account-manager Ldap Account Manager
Ldapaccountmanager Lam
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-18T19:55:14.059Z

Reserved: 2026-02-24T15:19:29.717Z

Link: CVE-2026-27895

cve-icon Vulnrichment

Updated: 2026-03-18T19:55:07.971Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T00:16:19.780

Modified: 2026-03-23T18:02:27.917

Link: CVE-2026-27895

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:54:16Z

Weaknesses