CVE-2026-41917 Openkm CVE debrief

Who should care

Organizations running OpenKM 6.3.12 with exposed administrative interfaces; security teams responsible for document management system security; administrators of OpenKM Community Edition deployments

Technical summary

The vulnerability exists in OpenKM 6.3.12's administrative scripting interface at /admin/Scripting. The fsPath parameter with action=Load does not properly validate or sanitize user-supplied filesystem paths, allowing authenticated administrators to read arbitrary files accessible to the OpenKM process. This includes system files (/etc/passwd), application configuration files containing database credentials, and JVM keystores. The attack requires high privileges (administrator authentication) but can result in high confidentiality impact through credential theft and system reconnaissance.

Defensive priority

medium

Recommended defensive actions

• Restrict administrative interface /admin/Scripting access to trusted source IP addresses only
• Implement network segmentation to limit exposure of OpenKM administrative interfaces
• Monitor for anomalous file access patterns from the OpenKM process
• Review and rotate database credentials and JVM keystore passwords if compromise is suspected
• Apply vendor patches when available; consider upgrading to a fixed version
• Enable comprehensive logging on the /admin/Scripting endpoint for forensic analysis

Evidence notes

Vulnerability disclosed by Terra System Labs via VulnCheck advisory. Multiple reference sources confirm the LFI vector in OpenKM 6.3.12 administrative scripting interface. CVSS 4.0 vector provided in NVD record. No CPE criteria available in source data.

Official resources