Description
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Published: 2026-02-27
Score: 9.3 Critical
EPSS: 23.8% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

openDCIM version 23.04 includes a flaw in the Config::UpdateParameter function where user‑supplied input is concatenated straight into SQL statements without sanitization. This is a CWE‑89 SQL Injection weakness that allows any authenticated user to execute arbitrary SQL commands against the database, potentially compromising data confidentiality, integrity, and availability.

Affected Systems

The affected product is openDCIM, specifically all releases up to and including 23.04 that contain the vulnerable commit 4467e9c4.

Risk and Exploitability

The vulnerability scores a Base CVSS of 9.3, indicating critical severity, and has an EPSS probability of 24%, suggesting a relatively high likelihood of exploitation. It is not listed in the CISA KEV catalog, but publicly available proof‑of‑concept code demonstrates it is actively exploitable. Attackers who can authenticate locally or through a restricted user role are the most likely vectors, as the injection requires valid session credentials to trigger the vulnerable code.

Generated by OpenCVE AI on May 27, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch from openDCIM (PR #1664) or upgrade to a version that contains the fix.
  • Temporarily disable or restrict the Config::UpdateParameter functionality by limiting the route to administrators or disabling the feature flag in the application configuration.
  • Ensure the database account used by openDCIM has only the minimum privileges required (e.g., SELECT and UPDATE on configuration tables) and remove any superuser rights that could allow schema modification or data extraction.

Generated by OpenCVE AI on May 27, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opendcim:opendcim:23.04:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Opendcim
Opendcim opendcim
Vendors & Products Opendcim
Opendcim opendcim

Fri, 27 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Title openDCIM <= 23.04 SQL Injection in Config::UpdateParameter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opendcim Opendcim
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T23:11:32.162Z

Reserved: 2026-02-27T21:07:55.466Z

Link: CVE-2026-28516

cve-icon Vulnrichment

Updated: 2026-03-02T21:47:19.064Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T23:16:06.180

Modified: 2026-03-10T14:46:09.200

Link: CVE-2026-28516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T14:45:35Z

Weaknesses