PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-28515 openDCIM CVE debrief

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.

Vendor
openDCIM
Product
Unknown
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-27
Original CVE updated
2026-07-14
Advisory published
2026-02-27
Advisory updated
2026-07-14

Who should care

Administrators and users of openDCIM version 23.04 should be aware of this vulnerability and take immediate action to mitigate the risk. This vulnerability is particularly concerning in deployments where REMOTE_USER is set without authentication enforcement.

Technical summary

The vulnerability exists in the install.php and container-install.php files of openDCIM version 23.04, through commit 4467e9c4. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks, allowing any authenticated user to access this functionality regardless of assigned privileges. This can lead to unauthorized modification of application configuration. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials, further increasing the risk. The CVSS score for this vulnerability is 9.3, indicating a critical severity. Administrators and users of openDCIM version 23.04 should be aware of this vulnerability and take immediate action to mitigate the risk, particularly in deployments where REMOTE_USER is set without authentication enforcement.

Defensive priority

High

Recommended defensive actions

  • Apply the patches provided in the GitHub pull request #1664
  • Restrict access to the install.php and container-install.php files
  • Enforce authentication and authorization checks for LDAP configuration functionality
  • Monitor for suspicious activity and implement compensating controls
  • Consider implementing additional security measures such as role-based access control and multi-factor authentication

Evidence notes

The evidence for this vulnerability comes from the openDCIM GitHub repository and the NVD CVE record. The vulnerability was reported by Chocapikk and disclosed by Vulncheck. The CVE record was published on 2026-02-27T23:16:05.960Z and last modified on 2026-07-14T19:16:53.473Z.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-02-27T23:16:05.960Z and has not been modified since then.