Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
CVE-2026-27012
GHSA-247v-7cw6-q57v
GHSA-247v-7cw6-q57v
Summary
### Summary
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well...
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| devcode-it | openstamanager | <= 2.9.8 | – |
| devcode | openstamanager | <= 2.9.8 | – |
| devcode-it | devcode-it/openstamanager | <= 2.9.8 | – |
Original title
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
Original description
### Summary
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
### Details
`modules/utenti/actions.php` is reachable directly via `http://<IP>:8080/modules/utenti/actions.php` and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the administrator group.
The file explicitly sets:
```PHP
$skip_permissions = true;
include_once __DIR__.'/../../core.php';
```
`core.php` then invokes:
```PHP
Permissions::skip();
```
Thus, disabling any authentication and permission enforcement. As a result, this file processes operations based on the `op` parameter in the POST request, not only `update_user`. Sensitive fields like `idgruppo` and others can be updated without verifying anything.
### PoC
A target username exists, such as "agent" with an ID of 4. No authentication or cookies are required. Send the following POST request via Burp Suite or similar:
<img width="1094" height="255" alt="image" src="https://github.com/user-attachments/assets/2e8cb148-1b5d-4e5c-9c73-05ed75d64188" />
The target's group is updated in the database.
Verify the changes in the database before and after the POST request:
<img width="1053" height="430" alt="image" src="https://github.com/user-attachments/assets/49f63ca0-8a04-4dd1-b27c-69699d2ce26f" />
Changes also visible in the administrator panel, they have been moved from the Agenti group to Amministratori.
### Impact
An unauthenticated attacker can assign administrator privileges to existing users, modify group memberships, enable/disable accounts and other operations that are exposed in the file. This can lead to a full compromise of the application.
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
### Details
`modules/utenti/actions.php` is reachable directly via `http://<IP>:8080/modules/utenti/actions.php` and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the administrator group.
The file explicitly sets:
```PHP
$skip_permissions = true;
include_once __DIR__.'/../../core.php';
```
`core.php` then invokes:
```PHP
Permissions::skip();
```
Thus, disabling any authentication and permission enforcement. As a result, this file processes operations based on the `op` parameter in the POST request, not only `update_user`. Sensitive fields like `idgruppo` and others can be updated without verifying anything.
### PoC
A target username exists, such as "agent" with an ID of 4. No authentication or cookies are required. Send the following POST request via Burp Suite or similar:
<img width="1094" height="255" alt="image" src="https://github.com/user-attachments/assets/2e8cb148-1b5d-4e5c-9c73-05ed75d64188" />
The target's group is updated in the database.
Verify the changes in the database before and after the POST request:
<img width="1053" height="430" alt="image" src="https://github.com/user-attachments/assets/49f63ca0-8a04-4dd1-b27c-69699d2ce26f" />
Changes also visible in the administrator panel, they have been moved from the Agenti group to Amministratori.
### Impact
An unauthenticated attacker can assign administrator privileges to existing users, modify group memberships, enable/disable accounts and other operations that are exposed in the file. This can lead to a full compromise of the application.
nvd CVSS3.1
9.8
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026