Vulnerability DatabaseCVE-2026-28515
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-28515
February 27, 2026
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
Related Resources (8)
https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/
https://github.com/opendcim/openDCIM/pull/1664
https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L293
https://www.vulncheck.com/advisories/opendcim-missing-authorization-in-install-php
https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434
https://github.com/opendcim/openDCIM/blob/4467e9c4/container-install.php#L421-L435
https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09
https://github.com/Chocapikk/opendcim-exploit
Do you need more information?
Contact Us
CVSS v4
Base Score:
9.3
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
9.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Missing Authorization
CWE-862
EPSS
Base Score:
0.22