CVE-2026-28515
Published: 27 February 2026
Summary
CVE-2026-28515 is a critical-severity Missing Authorization (CWE-862) vulnerability in Opendcim Opendcim. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
openDCIM version 23.04 through commit 4467e9c4 contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks, allowing any authenticated user to reach the endpoints regardless of assigned privileges. In deployments that set REMOTE_USER without additional authentication enforcement, the same endpoints may be reachable without credentials, resulting in unauthorized modification of application configuration. The issue is tracked as CWE-862 with a CVSS 4.0 score of 9.3.
An attacker with a valid session, or in some cases no credentials at all, can alter LDAP settings and thereby change core application behavior. The vulnerability affects the installation and upgrade paths specifically, so exploitation is possible both during initial setup and on running instances that expose those scripts.
Public references include source-code links to the affected lines in install.php and container-install.php, a detailed write-up discussing further attack chains, and a companion exploit repository. The EPSS score sits at 0.4509 with no material rise from a lower baseline.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9096
Vulnerability details
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges.…
more
In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a missing authorization flaw in a network-accessible web application (openDCIM), enabling low-privileged or potentially unauthenticated remote attackers to modify LDAP and application configurations (T1190: Exploit Public-Facing Application). This directly facilitates privilege escalation from low privileges to control over critical configurations, potentially leading to full system compromise (T1068: Exploitation for Privilege Escalation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks before allowing access to the LDAP configuration functions in install.php and container-install.php.
Ensures only users with explicit administrative privileges can reach or modify application configuration endpoints, blocking the any-authenticated-user exposure.
Restricts the ability to perform configuration changes to authorized roles, limiting the impact of the missing authorization checks on the installer scripts.