Cyber Resilience

CVE-2026-28515

CriticalPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0116 63.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28515 is a critical-severity Missing Authorization (CWE-862) vulnerability in Opendcim Opendcim. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

openDCIM version 23.04 through commit 4467e9c4 contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks, allowing any authenticated user to reach the endpoints regardless of assigned privileges. In deployments that set REMOTE_USER without additional authentication enforcement, the same endpoints may be reachable without credentials, resulting in unauthorized modification of application configuration. The issue is tracked as CWE-862 with a CVSS 4.0 score of 9.3.

An attacker with a valid session, or in some cases no credentials at all, can alter LDAP settings and thereby change core application behavior. The vulnerability affects the installation and upgrade paths specifically, so exploitation is possible both during initial setup and on running instances that expose those scripts.

Public references include source-code links to the affected lines in install.php and container-install.php, a detailed write-up discussing further attack chains, and a companion exploit repository. The EPSS score sits at 0.4509 with no material rise from a lower baseline.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges.…

more

In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a missing authorization flaw in a network-accessible web application (openDCIM), enabling low-privileged or potentially unauthenticated remote attackers to modify LDAP and application configurations (T1190: Exploit Public-Facing Application). This directly facilitates privilege escalation from low privileges to control over critical configurations, potentially leading to full system compromise (T1068: Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28516Same product: Opendcim Opendcim
CVE-2026-28517Same product: Opendcim Opendcim
CVE-2025-2110Shared CWE-862
CVE-2026-39432Shared CWE-862
CVE-2026-22683Shared CWE-862
CVE-2022-45830Shared CWE-862
CVE-2025-6754Shared CWE-862
CVE-2026-2001Shared CWE-862
CVE-2025-15041Shared CWE-862
CVE-2025-13313Shared CWE-862

Affected Assets

opendcim
opendcim
23.04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks before allowing access to the LDAP configuration functions in install.php and container-install.php.

prevent

Ensures only users with explicit administrative privileges can reach or modify application configuration endpoints, blocking the any-authenticated-user exposure.

prevent

Restricts the ability to perform configuration changes to authorized roles, limiting the impact of the missing authorization checks on the installer scripts.

References