VYPR
← All advisories
Medium severityNVD Advisory· Published Jun 5, 2026· Updated Jun 5, 2026

CVE-2026-45776

CVE-2026-45776

Description

Open XDMoD versions prior to 11.0.3 are vulnerable to broken access control, allowing unauthorized users to view job efficiency metrics.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Open XDMoD versions prior to 11.0.3 are vulnerable to broken access control, allowing unauthorized users to view job efficiency metrics.

Vulnerability

A flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. This vulnerability affects all deployments of Open XDMoD prior to version 11.0.3 that include the optional Job Performance (SUPReMM) module [1].

Exploitation

An attacker can exploit this vulnerability by sending a specially crafted HTTPS POST request to the affected Open XDMoD installation. This request manipulates a session variable that influences authorization decisions, potentially bypassing intended data access restrictions. No specific authentication or network position requirements are detailed, but the attack targets the access control logic [1].

Impact

If an installation includes the optional Job Performance (SUPReMM) module, a successful exploit allows an attacker to bypass intended data access restrictions and view other users' compute job efficiency metrics. The scope of the compromise is limited to unauthorized access to sensitive job performance data [1].

Mitigation

The vulnerability was patched in Open XDMoD version 11.0.3, released on 2026-05-12 [2]. As a workaround, users can manually apply a provided patch file before upgrading. Instructions for applying the patch are available in the references [1].

References
  1. Broken Access Control via Client-Controlled Session Variable in Open XDMoD
  2. Release Open XDMoD 11.0.3 · ubccr/xdmod

AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Ubccr/Xdmodreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <11.0.3

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.