Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
Published: 2026-04-02
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Unsecured deserialization in the oauth2.php endpoint of OpenSTAManager permits an attacker to supply a crafted state parameter that is unserialized without verification, enabling arbitrary code execution on the server. The vulnerability can compromise confidentiality, integrity, and availability if successfully exploited. The flaw has a CVSS score of 7.2, classifying it as high severity. It reflects a common insecure deserialization weakness as indicated by CWE-502.

Affected Systems

Any deployment of devcode‑it OpenSTAManager running a version earlier than 2.10.2 is impacted because the vulnerable code resides in that release. Organizations using earlier releases should verify the build number and vendor the software for updates.

Risk and Exploitability

Exploitation requires only an unauthenticated HTTP GET request to the oauth2.php script. The EPSS score is reported as less than 1% and the vulnerability is not yet listed in CISA’s KEV catalog, yet the potential for full remote compromise makes it a high priority. Affected systems exposed to external networks or with internal threat actors can be compromised without additional credentials. The attack path is straightforward and does not depend on complicated configuration or post‑exploitation steps.

Generated by OpenCVE AI on April 7, 2026 at 23:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenSTAManager version 2.10.2 or later.

Generated by OpenCVE AI on April 7, 2026 at 23:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-whv5-4q2f-q68g OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
History

Tue, 07 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Devcode
Devcode openstamanager
Vendors & Products Devcode
Devcode openstamanager

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
Title OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Devcode Openstamanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T19:52:52.158Z

Reserved: 2026-03-04T16:26:02.898Z

Link: CVE-2026-29782

cve-icon Vulnrichment

Updated: 2026-04-03T19:52:47.217Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T14:16:27.237

Modified: 2026-04-07T21:19:46.627

Link: CVE-2026-29782

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:31Z

Weaknesses