CVE-2026-28515 - Vulnerability Details

- openDCIM <= 23.04 Missing Authorization in install.php

Description

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.

Published: 2026-02-27

Score: 9.3 Critical

EPSS: 41.9% Moderate

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in the install.php and container-install.php scripts of openDCIM 23.04. The installer exposes LDAP configuration interfaces without enforcing proper role checks. Consequently, any authenticated user, or in some cases an unauthenticated user when REMOTE_USER is set, can alter the application’s LDAP settings. This permits an attacker to manipulate critical configuration, potentially compromising data integrity and enabling further attacks if the new configuration includes privilege escalations or network pivoting capabilities.

Affected Systems

The flaw affects the openDCIM 23.04 community edition. Any deployment that includes the specified commit 4467e9c4 and retains the default install.php and container-install.php files is vulnerable.

Risk and Exploitability

The CVSS v3.1 score of 9.3 assigns the vulnerability a critical rating. With an EPSS of 42 % the probability that exploitation occurs or will occur in the near term is high. The vulnerability is not yet listed in the CISA KEV catalog, but the lack of authorization checks allows attackers to modify configuration files and introduce arbitrary code or misconfigure services. Attackers can exploit it through the web interface, and in environments where REMOTE_USER is enabled without authentication, no credentials are required.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openDCIM

unknown

Version	Status	Constraints
`0`	affected	≤ 23.04

Configuration 1 [-]

cpe:2.3:a:opendcim:opendcim:23.04:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Opendcim

100%

Version	Status	Scheme	Platform
`[0,23.04]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to the fixed release of openDCIM or apply the patch from the official pull request 1664 that restores proper role checks.
Remove or rename the install.php and container-install.php scripts from the web root after installation to eliminate the installation entry points.
Configure the web server to enforce authentication for any remaining installation or upgrade URLs and restrict access to administrators only.

Generated by OpenCVE AI on April 16, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.41886.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/
https://github.com/Chocapikk/opendcim-exploit
https://github.com/opendcim/openDCIM/blob/4467e9c4/container-install.php#L421-L435
https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L293
https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434
https://github.com/opendcim/openDCIM/pull/1664
https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09
https://www.vulncheck.com/advisories/opendcim-missing-authorization-in-install-php

History

Tue, 10 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:opendcim:opendcim:23.04:::::::*
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 02 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opendcim Opendcim opendcim
Vendors & Products		Opendcim Opendcim opendcim

Fri, 27 Feb 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
Title		openDCIM <= 23.04 Missing Authorization in install.php
Weaknesses		CWE-862
References		https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/ https://github.com/Chocapikk/opendcim-exploit https://github.com/opendcim/openDCIM/blob/4467e9c4/container-install.php#L421-L435 https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L293 https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434 https://github.com/opendcim/openDCIM/pull/1664 https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09 https://www.vulncheck.com/advisories/opendcim-missing-authorization-in-install-php
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Opendcim Opendcim

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-02-27T22:11:37.303Z

Updated: 2026-03-02T21:46:46.681Z

Reserved: 2026-02-27T21:07:55.465Z

Link: CVE-2026-28515

Vulnrichment

Updated: 2026-03-02T21:46:43.179Z

NVD

Status : Analyzed

Published: 2026-02-27T23:16:05.960

Modified: 2026-03-10T15:03:39.680

Link: CVE-2026-28515

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T15:15:39Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object