CVE-2026-27181
Published: 18 February 2026
Summary
CVE-2026-27181 is a high-severity Missing Authorization (CWE-862) vulnerability in Mjdm Majordomo. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring an access control policy ensures authorization checks are defined and applied for critical functions.
Reviews of access controls detect missing authorization checks on critical functions or resources.
Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review.
Requiring attribute association with information prevents authorization from being performed without necessary security or privacy context.
Mandating authorization prior to allowing remote connections addresses missing authorization for remote access.
Mandating authorization before wireless connections are allowed prevents missing authorization for wireless access.
The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access.
Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated bypass in the publicly accessible /objects/?module=market endpoint directly enables remote exploitation of a web application (T1190). Successful abuse of mode=uninstall triggers recursive directory deletion, database record removal, and script cleanup, mapping to data destruction (T1485).
NVD Description
MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without…
more
authentication via the /objects/?module=market endpoint. The uninstall mode handler calls uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. An attacker can iterate through module names and wipe the entire MajorDoMo installation with a series of unauthenticated GET requests.
Deeper analysisAI
CVE-2026-27181, published on 2026-02-18, is a vulnerability in MajorDoMo (also known as Major Domestic Module), an open-source home automation platform. The issue lies in the market module's admin() method, which reads the 'mode' parameter from $_REQUEST using gr('mode') and assigns it directly to $this->mode at the start of execution. This bypasses authentication checks, exposing all mode-gated code paths—including uninstall functionality—to unauthenticated requests via the /objects/?module=market endpoint.
Unauthenticated attackers with network access can exploit this vulnerability through simple GET requests, requiring no privileges (PR:N), low attack complexity (AC:L), and no user interaction (UI:N). By setting mode=uninstall and specifying a module name, they trigger uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files with removeTree(), and removes associated cycle scripts. Attackers can iterate through all module names to systematically wipe the entire MajorDoMo installation, resulting in high availability impact (A:H) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-862 (Missing Authorization).
Advisories and patches are referenced in VulnCheck's analysis at https://www.vulncheck.com/advisories/majordomo-unauthenticated-module-uninstall-via-market-endpoint, a detailed post at https://chocapikk.com/posts/2026/majordomo-revisited/, and GitHub pull request #1177 at https://github.com/sergejey/majordomo/pull/1177.
Details
- CWE(s)