High severity7.2NVD Advisory· Published Apr 2, 2026· Updated Apr 7, 2026

CVE-2026-29782

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
devcode-it/openstamanagerPackagist	< 2.10.2	2.10.2

Affected products

Devcode/Openstamanager
cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*
Range: <2.10.2

Patches

d2e38cbdf91a

fix: Remote Code Execution via Insecure Deserialization in OAuth2

https://github.com/devcode-it/openstamanagervalentinaMar 5, 2026via ghsa

commit

1 file changed · +2 −2

src/Models/OAuth2.php+2 −2 modified

@@ -148,7 +148,7 @@ public function getAccessToken()
     {
         $this->checkTokens();
 
-        return $this->attributes['access_token'] ? unserialize($this->attributes['access_token']) : null;
+        return $this->attributes['access_token'] ? unserialize($this->attributes['access_token'], ['allowed_classes' => [AccessToken::class]]) : null;
     }
 
     /**
@@ -190,7 +190,7 @@ protected function updateTokens($access_token, $refresh_token)
      */
     protected function checkTokens()
     {
-        $access_token = $this->access_token ? unserialize($this->access_token) : null;
+        $access_token = $this->access_token ? unserialize($this->access_token, ['allowed_classes' => [AccessToken::class]]) : null;
 
         if (!empty($access_token) && $access_token->hasExpired()) {
             // Tentativo di refresh del token di accesso

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644ccnvdPatchWEB
github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68gnvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-whv5-4q2f-q68gghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-29782ghsaADVISORY
github.com/devcode-it/openstamanager/releases/tag/v2.10.2nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.468
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000