CVE-2026-27181
Published: 18 February 2026
Summary
CVE-2026-27181 is a high-severity Missing Authorization (CWE-862) vulnerability in Mjdm Majordomo. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 48.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-27181, published on 2026-02-18, is a vulnerability in MajorDoMo (also known as Major Domestic Module), an open-source home automation platform. The issue lies in the market module's admin() method, which reads the 'mode' parameter from $_REQUEST using gr('mode') and assigns it directly to $this->mode at the start of execution. This bypasses authentication checks, exposing all mode-gated code paths—including uninstall functionality—to unauthenticated requests via the /objects/?module=market endpoint.
Unauthenticated attackers with network access can exploit this vulnerability through simple GET requests, requiring no privileges (PR:N), low attack complexity (AC:L), and no user interaction (UI:N). By setting mode=uninstall and specifying a module name, they trigger uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files with removeTree(), and removes associated cycle scripts. Attackers can iterate through all module names to systematically wipe the entire MajorDoMo installation, resulting in high availability impact (A:H) with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapping to CWE-862 (Missing Authorization).
Advisories and patches are referenced in VulnCheck's analysis at https://www.vulncheck.com/advisories/majordomo-unauthenticated-module-uninstall-via-market-endpoint, a detailed post at https://chocapikk.com/posts/2026/majordomo-revisited/, and GitHub pull request #1177 at https://github.com/sergejey/majordomo/pull/1177.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7933
Vulnerability details
MajorDoMo (aka Major Domestic Module) allows unauthenticated arbitrary module uninstallation through the market module. The market module's admin() method reads gr('mode') from $_REQUEST and assigns it to $this->mode at the start of execution, making all mode-gated code paths reachable without…
more
authentication via the /objects/?module=market endpoint. The uninstall mode handler calls uninstallPlugin(), which deletes module records from the database, executes the module's uninstall() method via eval(), recursively deletes the module's directory and template files using removeTree(), and removes associated cycle scripts. An attacker can iterate through module names and wipe the entire MajorDoMo installation with a series of unauthenticated GET requests.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The unauthenticated bypass in the publicly accessible /objects/?module=market endpoint directly enables remote exploitation of a web application (T1190). Successful abuse of mode=uninstall triggers recursive directory deletion, database record removal, and script cleanup, mapping to data destruction (T1485).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to sensitive functions like module uninstallation, directly preventing unauthenticated exploitation via the market module endpoint.
Explicitly identifies and authorizes only non-destructive actions without authentication, excluding uninstall mode from public access.
Validates untrusted inputs such as the 'mode' parameter from $_REQUEST to block unauthorized bypass of authentication-gated code paths.