CVE-2026-28515

openDCIM <= 23.04 Missing Authorization in install.php

CVSS 9.3 CRITICALEPSS 1.2%CWE-862

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 1.2%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

27 Feb 2026Published on NVD

28 Feb 2026Metasploit module available

Recommendation: Plan a near-term fix — a public PoC already exists.

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

openDCIM · openDCIM

public PoCs found — 2

cve_referencechocapikk.com/posts/2026/opendcim-sqli-to-rce/unverified cve_referencegithub.com/Chocapikk/opendcim-exploitunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/https://github.com/Chocapikk/opendcim-exploit https://github.com/opendcim/openDCIM/blob/4467e9c4/container-install.php#L421-L435 https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L293 https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434 https://github.com/opendcim/openDCIM/pull/1664 https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09 https://www.vulncheck.com/advisories/opendcim-missing-authorization-in-install-php