Description
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Published: 2026-02-27
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

openDCIM version 23.04 suffers from a SQL injection flaw in the Config::UpdateParameter routine, where user‑supplied values are concatenated directly into SQL statements without prepared statements or sanitization. This is a CWE‑89 vulnerability that enables an authenticated application user to run arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the underlying database.

Affected Systems

The affected product is openDCIM, with all releases up to and including 23.04 that contain the vulnerable commit 4467e9c4. Versions before 23.04 are not affected as they do not include this code path.

Risk and Exploitability

The Base CVSS score is 9.3, indicating critical severity, and the EPSS score is below 1%, representing a very low probability of exploitation. It is not listed in the CISA KEV catalog, but publicly available proof‑of‑concept code confirms that an attacker can exploit it. Based on the description, it is inferred that an attacker must be authenticated to the application to trigger the injection, so the most likely vectors are compromised or insider credentials rather than unauthenticated access. If successful, the attacker could execute arbitrary SQL commands against the database, leading to data theft, modification, or denial of service.

Generated by OpenCVE AI on June 18, 2026 at 10:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official openDCIM patch from PR #1664 or upgrade to a version that contains the fix.
  • Temporarily restrict the Config::UpdateParameter functionality to administrators only or disable the feature flag in the application configuration.
  • Ensure the database account used by openDCIM has only the minimum privileges required—typically SELECT and UPDATE on the configuration tables—and remove any superuser rights that could allow schema modification or data extraction.

Generated by OpenCVE AI on June 18, 2026 at 10:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opendcim:opendcim:23.04:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Opendcim
Opendcim opendcim
Vendors & Products Opendcim
Opendcim opendcim

Fri, 27 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Title openDCIM <= 23.04 SQL Injection in Config::UpdateParameter
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Opendcim Opendcim
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-23T16:14:15.098Z

Reserved: 2026-02-27T21:07:55.466Z

Link: CVE-2026-28516

cve-icon Vulnrichment

Updated: 2026-03-02T21:47:19.064Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T23:16:06.180

Modified: 2026-06-17T10:28:46.880

Link: CVE-2026-28516

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:45:03Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')