CVE-2026-28516 - Vulnerability Details

- openDCIM <= 23.04 SQL Injection in Config::UpdateParameter

Description

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.

Published: 2026-02-27

Score: 9.3 Critical

EPSS: 21.4% Moderate

KEV: No

Impact:

Action:

Analysis

Impact

openDCIM version 23.04 contains a flaw in the Config::UpdateParameter function where user supplied input is interpolated directly into SQL statements without sanitization. An attacker who is authenticated to the web application can inject and execute arbitrary SQL commands against the underlying database, potentially compromising data confidentiality, integrity, and availability.

Affected Systems

The affected product is openDCIM, specifically all releases up to and including 23.04 that contain the vulnerable commit 4467e9c4.

Risk and Exploitability

The vulnerability scores a Base CVSS of 9.3, indicating critical severity, and has an EPSS probability of 21%, suggesting a relatively high likelihood of exploitation. It is not listed in the CISA Known Exploited Vulnerabilities catalog, but publicly available proof‑of‑concept code demonstrates it is actively exploitable. Attackers who can authenticate locally or through a restricted user role are the most likely vectors, as the injection requires valid session credentials to trigger the vulnerable code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openDCIM

unknown

Version	Status	Constraints
`0`	affected	≤ 23.04

Configuration 1 [-]

cpe:2.3:a:opendcim:opendcim:23.04:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Opendcim

100%

Version	Status	Scheme	Platform
`[0,23.04]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch from openDCIM (PR #1664) or upgrade to a version that contains the fix.
Temporarily disable or restrict the Config::UpdateParameter functionality by limiting the route to administrators or disabling the feature flag in the application configuration.
Ensure the database account used by openDCIM has only the minimum privileges required (e.g., SELECT and UPDATE on configuration tables) and remove any superuser rights that could allow schema modification or data extraction.

Generated by OpenCVE AI on April 17, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.21392.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/
https://github.com/Chocapikk/opendcim-exploit
https://github.com/opendcim/openDCIM/blob/4467e9c4/config.inc.php#L75-L90
https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434
https://github.com/opendcim/openDCIM/pull/1664
https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09
https://www.vulncheck.com/advisories/opendcim-sql-injection-in-config-updateparameter

History

Tue, 10 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:opendcim:opendcim:23.04:::::::*
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Mon, 02 Mar 2026 22:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 02 Mar 2026 12:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Opendcim Opendcim opendcim
Vendors & Products		Opendcim Opendcim opendcim

Fri, 27 Feb 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Title		openDCIM <= 23.04 SQL Injection in Config::UpdateParameter
Weaknesses		CWE-89
References		https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/ https://github.com/Chocapikk/opendcim-exploit https://github.com/opendcim/openDCIM/blob/4467e9c4/config.inc.php#L75-L90 https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434 https://github.com/opendcim/openDCIM/pull/1664 https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09 https://www.vulncheck.com/advisories/opendcim-sql-injection-in-config-updateparameter
Metrics		cvssV4_0 `{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

Opendcim Opendcim

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-02-27T22:11:52.246Z

Updated: 2026-03-02T21:47:22.322Z

Reserved: 2026-02-27T21:07:55.466Z

Link: CVE-2026-28516

Vulnrichment

Updated: 2026-03-02T21:47:19.064Z

NVD

Status : Analyzed

Published: 2026-02-27T23:16:06.180

Modified: 2026-03-10T14:46:09.200

Link: CVE-2026-28516

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T14:00:15Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object