CVE-2026-24891
Published: 20 February 2026
Summary
CVE-2026-24891 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in It-Novum Openitcockpit. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-24891 is an unsafe deserialization vulnerability (CWE-502) in openITCOCKPIT, an open source monitoring tool for engines like Nagios, Naemon, and Prometheus. It affects versions 5.3.1 and below, specifically in the Gearman worker implementation. The worker function oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or validating data origin, creating a PHP Object Injection sink. While intended deployments assume trusted internal components enqueue jobs, the code does not enforce this trust boundary.
Exploitation requires network access (AV:N) to the Gearman service, high attack complexity (AC:H), and low privileges (PR:L), with no user interaction needed (UI:N) and unchanged scope (S:U). Attackers can submit crafted serialized payloads if Gearman listens on non-local interfaces, TCP/4730 access is unrestricted, or untrusted systems can enqueue jobs. Successful exploitation triggers PHP Object Injection in the worker process, enabling high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), with an overall CVSS v3.1 score of 7.5.
The vulnerability is addressed in openITCOCKPIT version 5.4.0. Security practitioners should upgrade to this version to eliminate the unsafe sink. Additional details are available in the GitHub security advisory at https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-x4mq-8gfg-frc4 and release notes at https://github.com/openITCOCKPIT/openITCOCKPIT/releases/tag/openITCOCKPIT-5.4.0.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8363
Vulnerability details
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize()…
more
on job payloads without enforcing class restrictions or validating data origin. While the intended deployment assumes only trusted internal components enqueue Gearman jobs, this trust boundary is not enforced in application code. In environments where the Gearman service or worker is exposed to untrusted systems, an attacker may submit crafted serialized payloads to trigger PHP Object Injection in the worker process. This vulnerability is exploitable when Gearman listens on non-local interfaces, network access to TCP/4730 is unrestricted, or untrusted systems can enqueue jobs. Default, correctly hardened deployments may not be immediately exploitable, but the unsafe sink remains present in code regardless of deployment configuration. Enforcing this trust boundary in code would significantly reduce risk and prevent exploitation in misconfigured environments. This issue has been fixed in version 5.4.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unsafe deserialization in network-exposed Gearman worker directly enables remote service exploitation (T1210) leading to RCE via PHP object injection that achieves Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely remediation of flaws, directly addressing this CVE by upgrading to openITCOCKPIT 5.4.0 which eliminates the unsafe deserialization sink.
SI-10 mandates validation of information inputs at system entry points, preventing exploitation by enforcing restrictions and validation on Gearman job payloads before deserialization.
SC-7 enforces boundary protection to monitor and control communications at external interfaces, blocking untrusted network access to the Gearman service on TCP/4730 required for exploitation.