CVE-2026-29782
Published: 02 April 2026
Summary
CVE-2026-29782 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Devcode Openstamanager. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and patching of the unsafe PHP object deserialization flaw in oauth2.php, directly preventing exploitation as addressed in version 2.10.2.
Mandates validation of the attacker-controlled 'state' GET parameter at system entry points to block loading of malicious records from the zz_oauth2 table for deserialization.
Implements memory protections such as DEP and ASLR to mitigate arbitrary code execution from deserialized gadgets in the access_token field.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated PHP deserialization flaw in a publicly reachable web endpoint (oauth2.php) directly enables remote exploitation of public-facing applications (T1190). Successful object injection yields arbitrary code execution on the server, which is achieved through command/scripting interpreters (T1059).
NVD Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET…
more
parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
Deeper analysisAI
CVE-2026-29782 is a PHP object deserialization vulnerability (CWE-502) affecting OpenSTAManager, an open source management software for technical assistance and invoicing, in versions prior to 2.10.2. The flaw resides in the oauth2.php file, an unauthenticated endpoint where $skip_permissions is set to true. This endpoint loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state and, during the OAuth2 configuration flow, calls unserialize() on the access_token field without any class restrictions.
The vulnerability has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, high privileges required, no user interaction, and high impacts on confidentiality, integrity, and availability. A privileged attacker can exploit the unauthenticated endpoint by controlling the state parameter to trigger unsafe deserialization, potentially leading to the impacts outlined in the CVSS vector.
The issue was addressed in OpenSTAManager version 2.10.2. Mitigation involves upgrading to this patched version. Details are provided in the GitHub security advisory (GHSA-whv5-4q2f-q68g), release notes for v2.10.2, and the fixing commit (d2e38cbdf91a831cefc0da1548e02b297ae644cc).
Details
- CWE(s)