CVE-2026-41917 - Vulnerability Details

- OpenKM 6.3.12 Local File Inclusion via Admin Scripting

Description

OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.

Published: 2026-05-26

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a CWE-22 Path Traversal flaw located in the admin scripting interface at /admin/Scripting. By supplying an attacker-controlled value to the fsPath parameter when action=Load, a user who has administrator privileges can read any file that the OpenKM process can access. This permits disclosure of sensitive data such as /etc/passwd, database credentials stored in configuration files, and JVM keystores.

Affected Systems

Affected products are the OpenKM Community Edition and OpenKM Professional Edition, specifically the 6.3.12 release. No other versions are mentioned as impacted. Administrators of these installations are directly at risk when using the admin scripting feature.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity. No EPSS score is provided, and the vulnerability is not listed in the CISA KEV catalog. Exploitability requires valid administrator credentials and network access to the /admin/Scripting endpoint. The attack is therefore limited to systems where privileged users are able to log in, making the risk significant for organizations that maintain open or insufficiently protected administrative interfaces.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Openkm

OpenKM Community Edition

unknown

Version	Status	Constraints
`0`	affected	≤ 6.3.12

Openkm

OpenKM Professional Edition

unknown

Version	Status	Constraints
`0`	affected	≤ 7.1.47

No data.

Vendor Product Confidence Versions

Openkm

95%

Version	Status	Scheme	Platform
`—`	affected	—	—

Openkm

Openkm Community Edition

100%

Version	Status	Scheme	Platform
`[0,6.3.12]`	affected	semver	—

Openkm

Openkm Professional Edition

100%

Version	Status	Scheme	Platform
`[0,7.1.47]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to a version of OpenKM newer than 6.3.12 that removes the LFI in the admin scripting API.
Disable or remove the admin scripting functionality if it is not required, or restrict it to trusted IP addresses and enforce HTTPS.
Enforce strong, unique passwords and multi‑factor authentication for all administrator accounts, and monitor login activity for anomalies.

Generated by OpenCVE AI on May 26, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00387.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits
https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-local-file-execution
https://hub.docker.com/r/openkm/openkm-ce
https://terrasystemlabs.com/post?slug=openkm-zero-day-vulnerabilities-terra-system-labs
https://www.exploit-db.com/exploits/52520
https://www.openkm.com/
https://www.vulncheck.com/advisories/openkm-local-file-inclusion-via-admin-scripting

History

Wed, 27 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openkm openkm Community Edition Openkm openkm Professional Edition
Vendors & Products		Openkm openkm Community Edition Openkm openkm Professional Edition

Tue, 26 May 2026 14:30:00 +0000

Type	Values Removed	Values Added
Description		OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.
Title		OpenKM 6.3.12 Local File Inclusion via Admin Scripting
First Time appeared		Openkm Openkm openkm
Weaknesses		CWE-22
CPEs		cpe:2.3:a:openkm:openkm:::::community:::* cpe:2.3:a:openkm:openkm:::::professional:::*
Vendors & Products		Openkm Openkm openkm
References		https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-local-file-execution https://hub.docker.com/r/openkm/openkm-ce https://terrasystemlabs.com/post?slug=openkm-zero-day-vulnerabilities-terra-system-labs https://www.exploit-db.com/exploits/52520 https://www.openkm.com/ https://www.vulncheck.com/advisories/openkm-local-file-inclusion-via-admin-scripting
Metrics		cvssV3_1 `{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

Subscriptions

Openkm Openkm Openkm Community Edition Openkm Professional Edition

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-05-26T14:08:49.680Z

Updated: 2026-05-27T16:08:59.835Z

Reserved: 2026-04-22T15:20:49.860Z

Link: CVE-2026-41917

Vulnrichment

Updated: 2026-05-27T16:08:54.808Z

NVD

Status : Deferred

Published: 2026-05-26T15:16:36.440

Modified: 2026-05-26T19:47:48.987

Link: CVE-2026-41917

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-27T10:05:11Z

Weaknesses

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object