CVE-2026-24891
Published: 20 February 2026
Summary
CVE-2026-24891 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in It-Novum Openitcockpit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Validates or rejects untrusted serialized data before deserialization occurs.
Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.
Integrity verification of serialized information can detect tampering before deserialization occurs.
Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in network-exposed Gearman worker directly enables remote service exploitation (T1210) leading to RCE via PHP object injection that achieves Unix shell command execution (T1059.004).
NVD Description
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize()…
more
on job payloads without enforcing class restrictions or validating data origin. While the intended deployment assumes only trusted internal components enqueue Gearman jobs, this trust boundary is not enforced in application code. In environments where the Gearman service or worker is exposed to untrusted systems, an attacker may submit crafted serialized payloads to trigger PHP Object Injection in the worker process. This vulnerability is exploitable when Gearman listens on non-local interfaces, network access to TCP/4730 is unrestricted, or untrusted systems can enqueue jobs. Default, correctly hardened deployments may not be immediately exploitable, but the unsafe sink remains present in code regardless of deployment configuration. Enforcing this trust boundary in code would significantly reduce risk and prevent exploitation in misconfigured environments. This issue has been fixed in version 5.4.0.
Deeper analysisAI
CVE-2026-24891 is an unsafe deserialization vulnerability (CWE-502) in openITCOCKPIT, an open source monitoring tool for engines like Nagios, Naemon, and Prometheus. It affects versions 5.3.1 and below, specifically in the Gearman worker implementation. The worker function oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or validating data origin, creating a PHP Object Injection sink. While intended deployments assume trusted internal components enqueue jobs, the code does not enforce this trust boundary.
Exploitation requires network access (AV:N) to the Gearman service, high attack complexity (AC:H), and low privileges (PR:L), with no user interaction needed (UI:N) and unchanged scope (S:U). Attackers can submit crafted serialized payloads if Gearman listens on non-local interfaces, TCP/4730 access is unrestricted, or untrusted systems can enqueue jobs. Successful exploitation triggers PHP Object Injection in the worker process, enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 score of 7.5.
The vulnerability is addressed in openITCOCKPIT version 5.4.0. Security practitioners should upgrade to this version to eliminate the unsafe sink. Additional details are available in the GitHub security advisory at https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-x4mq-8gfg-frc4 and release notes at https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.4.0.
Details
- CWE(s)