CVE-2026-28515
Published: 27 February 2026
Summary
CVE-2026-28515 is a high-severity Missing Authorization (CWE-862) vulnerability in Opendcim Opendcim. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates enforcement of approved authorizations and role checks on sensitive endpoints like install.php and container-install.php to block unauthorized LDAP configuration access.
Implements least privilege to restrict low-privileged authenticated users from accessing high-privilege configuration functions, reducing the blast radius of missing authorization checks.
Enforces access restrictions on mechanisms for system configuration changes, mitigating unauthorized modifications to LDAP and application settings via exposed installer endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in a network-accessible web application (openDCIM), enabling low-privileged or potentially unauthenticated remote attackers to modify LDAP and application configurations (T1190: Exploit Public-Facing Application). This directly facilitates privilege escalation from low privileges to control over critical configurations, potentially leading to full system compromise (T1068: Exploitation for Privilege Escalation).
NVD Description
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges.…
more
In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
Deeper analysisAI
CVE-2026-28515 is a missing authorization vulnerability (CWE-862) affecting openDCIM version 23.04 through commit 4467e9c4. The issue resides in the install.php and container-install.php files, where the installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. This allows any authenticated user to access these endpoints regardless of their assigned privileges. In deployments where REMOTE_USER is configured without proper authentication enforcement, the endpoints may be reachable without credentials, enabling unauthorized modification of application configuration. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low-privilege authenticated access, or potentially no credentials in misconfigured REMOTE_USER environments, can exploit this over the network with low complexity and no user interaction. Successful exploitation grants the ability to arbitrarily modify openDCIM's LDAP and other application configurations, potentially leading to full compromise of the data center infrastructure management system.
References include code excerpts from the vulnerable commits in the official openDCIM GitHub repository, as well as a proof-of-concept exploit repository and a blog post detailing a related SQL injection to remote code execution chain. No official patch details are specified, but upgrading beyond commit 4467e9c4 is implied as a mitigation step; practitioners should review the provided GitHub links for precise remediation.
Details
- CWE(s)