Cyber Resilience

CVE-2026-24891

HighPublic PoCRCE

Published: 20 February 2026

Published
20 February 2026
Modified
24 February 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24891 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in It-Novum Openitcockpit. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-24891 is an unsafe deserialization vulnerability (CWE-502) in openITCOCKPIT, an open source monitoring tool for engines like Nagios, Naemon, and Prometheus. It affects versions 5.3.1 and below, specifically in the Gearman worker implementation. The worker function oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or validating data origin, creating a PHP Object Injection sink. While intended deployments assume trusted internal components enqueue jobs, the code does not enforce this trust boundary.

Exploitation requires network access (AV:N) to the Gearman service, high attack complexity (AC:H), and low privileges (PR:L), with no user interaction needed (UI:N) and unchanged scope (S:U). Attackers can submit crafted serialized payloads if Gearman listens on non-local interfaces, TCP/4730 access is unrestricted, or untrusted systems can enqueue jobs. Successful exploitation triggers PHP Object Injection in the worker process, enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 score of 7.5.

The vulnerability is addressed in openITCOCKPIT version 5.4.0. Security practitioners should upgrade to this version to eliminate the unsafe sink. Additional details are available in the GitHub security advisory at https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-x4mq-8gfg-frc4 and release notes at https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.4.0.

EU & UK References

Vulnerability details

openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize()…

more

on job payloads without enforcing class restrictions or validating data origin. While the intended deployment assumes only trusted internal components enqueue Gearman jobs, this trust boundary is not enforced in application code. In environments where the Gearman service or worker is exposed to untrusted systems, an attacker may submit crafted serialized payloads to trigger PHP Object Injection in the worker process. This vulnerability is exploitable when Gearman listens on non-local interfaces, network access to TCP/4730 is unrestricted, or untrusted systems can enqueue jobs. Default, correctly hardened deployments may not be immediately exploitable, but the unsafe sink remains present in code regardless of deployment configuration. Enforcing this trust boundary in code would significantly reduce risk and prevent exploitation in misconfigured environments. This issue has been fixed in version 5.4.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unsafe deserialization in network-exposed Gearman worker directly enables remote service exploitation (T1210) leading to RCE via PHP object injection that achieves Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24892Same product: It-Novum Openitcockpit
CVE-2026-35337Shared CWE-502
CVE-2025-27816Shared CWE-502
CVE-2026-25769Shared CWE-502
CVE-2025-26866Shared CWE-502
CVE-2025-29783Shared CWE-502
CVE-2025-61880Shared CWE-502
CVE-2024-57764Shared CWE-502
CVE-2025-1913Shared CWE-502
CVE-2026-32502Shared CWE-502

Affected Assets

it-novum
openitcockpit
≤ 5.4.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of flaws, directly addressing this CVE by upgrading to openITCOCKPIT 5.4.0 which eliminates the unsafe deserialization sink.

prevent

SI-10 mandates validation of information inputs at system entry points, preventing exploitation by enforcing restrictions and validation on Gearman job payloads before deserialization.

prevent

SC-7 enforces boundary protection to monitor and control communications at external interfaces, blocking untrusted network access to the Gearman service on TCP/4730 required for exploitation.

References