CVE-2026-28515
HIGH WAF: Low
CVSS 8.8
Published: 2026-02-27
CWE-862
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
WAF Coverage Analysis
Missing Authorization
Low WAF Coverage
OWASP: A01:2021 Broken Access Control
Affected Software
| Vendor | Product | Version |
|---|---|---|
| opendcim | opendcim | 23.04 |
References
- chocapikk.com (Exploit, Third Party Advisory)
- github.com (Exploit)
- github.com (Product)
- github.com (Product)
- github.com (Product)
- github.com (Issue Tracking, Patch)
- github.com (Issue Tracking, Patch)
- www.vulncheck.com (Third Party Advisory)