Description
GREENmod uses named pipes for communication between plugins, the web portal, and the system service, but the access control lists for these pipes are configured incorrectly. This allows an attacker to communicate with the stream and upload any XML or JSON file, which will be processed by the named pipe with the privileges of the user under whose context the service is running. This allows for Server-Side Request Forgery to any Windows system on which the agent is installed and which provides communication via SMB or WebDav.

This issue was fixed in version 2.8.33.
Published: 2026-04-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery
Action: Immediate Patch
AI Analysis

Impact

GREENmod uses named pipes for communication between plugins, the web portal, and the system service. The access control lists for these pipes are incorrectly configured, allowing an attacker to send arbitrary XML or JSON data through the pipe. The data is then processed with the privileges of the user under whose context the service runs, giving the attacker the ability to perform server‑side request forgery to any Windows system on which the agent is installed and which offers SMB or WebDAV interfaces.

Affected Systems

Nomios Poland provides the GREENmod product. Versions prior to 2.8.33 are affected; the issue was fixed in version 2.8.33.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. EPSS is not available, so the probability of exploitation is unknown; the vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector involves an attacker interacting with the web portal or a plugin to send data to the misconfigured pipe, after which the agent can contact internal or external Windows systems via SMB or WebDAV. If exploited, the attacker could propagate to internal network resources and potentially achieve further privilege escalation.

Generated by OpenCVE AI on April 18, 2026 at 09:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GREENmod to version 2.8.33 or later to receive the fix for the named pipe ACL misconfiguration.
  • Ensure the GREENmod service runs under a least‑privilege account and verify that the named pipe access control lists allow only intended users and processes.
  • Configure firewall or interface restrictions to block unsolicited SMB and WebDAV traffic from the agent, and monitor for unexpected outbound requests originating from the GREENmod service.

Generated by OpenCVE AI on April 18, 2026 at 09:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Nomios Poland
Nomios Poland greenmod
Vendors & Products Nomios Poland
Nomios Poland greenmod

Fri, 17 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Description GREENmod uses named pipes for communication between plugins, the web portal, and the system service, but the access control lists for these pipes are configured incorrectly. This allows an attacker to communicate with the stream and upload any XML or JSON file, which will be processed by the named pipe with the privileges of the user under whose context the service is running. This allows for Server-Side Request Forgery to any Windows system on which the agent is installed and which provides communication via SMB or WebDav. This issue was fixed in version 2.8.33.
Title Server-Side Request Forgery in GREENmod
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Nomios Poland Greenmod
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-04-17T11:45:23.719Z

Reserved: 2026-03-30T09:39:43.884Z

Link: CVE-2026-5131

cve-icon Vulnrichment

Updated: 2026-04-17T11:45:14.103Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-17T11:16:11.000

Modified: 2026-04-17T15:07:18.050

Link: CVE-2026-5131

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:30:25Z

Weaknesses