Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
openDCIM Installer Exposes Configuration to Unauthorized Users
CVE-2026-28515
Summary
The openDCIM installer and upgrade handler do not require authentication, allowing any user to access and modify the application's LDAP configuration. This can lead to unauthorized changes to the application's settings. If you use openDCIM, ensure that authentication is enforced for all users to prevent misuse.
Original title
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration...
Original description
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
nvd CVSS4.0
9.3
Vulnerability type
CWE-862
Missing Authorization
- https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/
- https://github.com/Chocapikk/opendcim-exploit
- https://github.com/opendcim/openDCIM/blob/4467e9c4/container-install.php#L421-L4...
- https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L293
- https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434
- https://github.com/opendcim/openDCIM/pull/1664
- https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c2695607...
- https://www.vulncheck.com/advisories/opendcim-missing-authorization-in-install-p...
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026