CVE-2026-28517 Opendcim CVE debrief

Who should care

Administrators and developers running openDCIM 23.04, especially environments where configuration values stored in fac_Config may be modified through application paths or by users with elevated access. Security teams should treat this as an urgent web application code-execution risk.

Technical summary

NVD lists openDCIM 23.04 as vulnerable and classifies the weakness as CWE-78. The issue is in report_network_map.php, where the dot configuration parameter is read from the database and used directly in exec(). That creates an OS command injection sink. The supplied description says the practical precondition is the ability to modify fac_Config.dot; once that occurs, commands execute as the web server process.

Defensive priority

High. This is a CVSS 9.3 critical issue with network attack characteristics and high confidentiality, integrity, and availability impact. Prioritize applying the vendor fix or compensating controls before routine maintenance.

Recommended defensive actions

• Update openDCIM to a version that includes the vendor fix referenced in pull request 1664.
• Restrict who can modify configuration values such as fac_Config.dot and review any application paths that write to the configuration database.
• Audit report_network_map.php and related code for shell execution and replace exec() usage with safer non-shell alternatives where possible.
• Monitor web server and application logs for unexpected subprocess activity, command execution, or unexplained changes to configuration values.

Evidence notes

The supplied CVE/NVD record states that report_network_map.php passes the dot configuration value directly to exec() without validation or sanitization. The metadata also lists openDCIM 23.04 as vulnerable and identifies CWE-78. The supplied references include the relevant source lines, a third-party advisory, and a vendor patch pull request.

Official resources