Cyber Resilience

CVE-2026-27181

HighPublic PoC

Published: 18 February 2026

Published
18 February 2026
Modified
20 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0071 48.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-27181 is a high-severity Missing Authorization (CWE-862) vulnerability in Mjdm Majordomo. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-27181, published on 2026-02-18, is a vulnerability in MajorDoMo (also known as Major Domestic Module), an open-source home automation platform. The issue lies in the market module's admin() method, which reads the 'mode' parameter from $_REQUEST using gr('mode') and assigns it directly to $this->mode at the start of execution. This bypasses authentication checks, exposing all mode-gated code paths—including uninstall functionality—to unauthenticated requests via the /objects/?module=market endpoint.

Unauthenticated attackers with network access can exploit this vulnerability through simple GET requests, requiring no privileges (PR:N), low attack complexity (AC:L), and no user interaction (UI:N). By setting mode=uninstall and specifying a module name, they trigger uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files with removeTree(), and removes associated cycle scripts. Attackers can iterate through all module names to systematically wipe the entire MajorDoMo installation, resulting in high availability impact (A:H) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-862 (Missing Authorization).

Advisories and patches are referenced in VulnCheck's analysis at https://www.vulncheck.com/advisories/majordomo-unauthenticated-module-uninstall-via-market-endpoint, a detailed post at https://chocapikk.com/posts/2026/majordomo-revisited/, and GitHub pull request #1177 at https://github.com/sergejey/majordomo/pull/1177.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without…

more

authentication via the /objects/?module=market endpoint. The uninstall mode handler calls uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. An attacker can iterate through module names and wipe the entire MajorDoMo installation with a series of unauthenticated GET requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1485 Data Destruction Impact
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Why these techniques?

The unauthenticated bypass in the publicly accessible /objects/?module=market endpoint directly enables remote exploitation of a web application (T1190). Successful abuse of mode=uninstall triggers recursive directory deletion, database record removal, and script cleanup, mapping to data destruction (T1485).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27174Same product: Mjdm Majordomo
CVE-2026-27179Same product: Mjdm Majordomo
CVE-2026-27175Same product: Mjdm Majordomo
CVE-2026-27180Same product: Mjdm Majordomo
CVE-2026-27177Same product: Mjdm Majordomo
CVE-2026-27178Same product: Mjdm Majordomo
CVE-2025-68547Shared CWE-862
CVE-2020-36852Shared CWE-862
CVE-2026-32817Shared CWE-862
CVE-2025-22657Shared CWE-862

Affected Assets

mjdm
majordomo
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to sensitive functions like module uninstallation, directly preventing unauthenticated exploitation via the market module endpoint.

prevent

Explicitly identifies and authorizes only non-destructive actions without authentication, excluding uninstall mode from public access.

prevent

Validates untrusted inputs such as the 'mode' parameter from $_REQUEST to block unauthorized bypass of authentication-gated code paths.

References