CVE-2026-27012
Published: 03 March 2026
Summary
CVE-2026-27012 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Devcode Openstamanager. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 enforces approved authorizations for accessing sensitive endpoints like actions.php, directly preventing unauthorized user group modifications and privilege escalations.
AC-14 explicitly limits unauthenticated actions to non-sensitive operations, mitigating the authentication bypass that allows direct calls to modify user groups.
AC-2 requires secure management of account attributes including group memberships, preventing arbitrary changes to idgruppo without proper authorization.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of public-facing web app endpoint for group membership modification directly enables T1190 (public app exploitation), T1068 (exploitation for privilege escalation), and T1098 (account manipulation via arbitrary group changes).
NVD Description
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This…
more
can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
Deeper analysisAI
CVE-2026-27012 is a privilege escalation and authentication bypass vulnerability affecting OpenSTAManager, an open source management software for technical assistance and invoicing, in versions 2.9.8 and earlier. The flaw arises in the modules/utenti/actions.php component, which allows attackers to arbitrarily modify a user's group membership (idgruppo) without proper authentication. This CWE-306 issue, rated at CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), enables unauthorized elevation or demotion of user privileges.
Any unauthenticated attacker with network access can exploit this vulnerability by directly invoking the affected PHP endpoint, requiring no privileges, user interaction, or complex setup. Successful exploitation grants the ability to promote low-privilege accounts, such as agents, to the Amministratori (administrators) group, or demote existing administrators, potentially leading to full compromise of the application, data access, modification, or denial of service.
For mitigation details, security practitioners should refer to the GitHub Security Advisory at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57v, which provides guidance on patches and remediation steps.
Details
- CWE(s)