Unrated severityNVD Advisory· Published Feb 27, 2026· Updated Mar 2, 2026
openDCIM <= 23.04 Missing Authorization in install.php
CVE-2026-28515
Description
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
7- github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09mitrepatch
- chocapikk.com/posts/2026/opendcim-sqli-to-rce/mitretechnical-descriptionexploit
- www.vulncheck.com/advisories/opendcim-missing-authorization-in-install-phpmitrethird-party-advisory
- github.com/opendcim/openDCIM/pull/1664mitreissue-tracking
- github.com/opendcim/openDCIM/blob/4467e9c4/container-install.phpmitre
- github.com/opendcim/openDCIM/blob/4467e9c4/install.phpmitre
- github.com/opendcim/openDCIM/blob/4467e9c4/install.phpmitre
News mentions
1- NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCEThe Hacker News · May 17, 2026