CVE-2026-28515: openDCIM <= 23.04 Missing Authorization in install.php
openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
Security readout for executives and security teams
Plain-English summary
CVE-2026-28515 lets unauthorized users change openDCIM configuration through installer or upgrade pages. The business concern is configuration takeover, especially LDAP settings, which can affect access control and application integrity. The sources rate it critical, but they do not show confirmed active exploitation.
Executive priority
Treat this as urgent for any exposed openDCIM deployment. Prioritize containment and vendor-approved remediation because the flaw can undermine access configuration without requiring administrative privileges.
Technical view
openDCIM 23.04 through commit 4467e9c4 lacks authorization checks in install.php and container-install.php LDAP configuration handling. Any authenticated user may access functionality regardless of role. If REMOTE_USER is set without authentication enforcement, access may require no valid credentials. CVSS v4 score is 9.3.
Likely exposure
Systems running openDCIM 23.04 or code at or before commit 4467e9c4 are the stated exposure. Internet-facing or broadly reachable installer endpoints, weak REMOTE_USER enforcement, and non-admin user access increase practical risk.
Exploitation context
The bundle includes a technical blog and public exploit repository references, so exploit information appears public. CISA KEV status is false in the bundle, and no cited source here confirms active exploitation in the wild.
Researcher notes
Evidence supports missing authorization in installer paths and a severe impact rating. Patch status is not fully established by the bundle beyond issue-tracking references, so avoid assuming a specific fixed release without vendor confirmation.
Mitigation direction
Check openDCIM vendor guidance and PR #1664 for the approved fix path.
Restrict access to install.php and container-install.php to trusted administrators.
Ensure REMOTE_USER is only set after strong authentication enforcement.
Limit openDCIM access to trusted networks or VPN until fixed.
Review LDAP and application configuration for unauthorized changes.
Validation and detection
Inventory openDCIM versions and deployed commit levels.
Confirm install.php and container-install.php are not publicly reachable.
Verify non-admin users cannot access installer or upgrade configuration functions.
Check whether REMOTE_USER can be spoofed or set without authentication.
Audit recent LDAP and configuration changes for suspicious modifications.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-862: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
1CVSS vectors
3Timeline events
1ADP providers
8Source links
SSVC decision data
CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-862 · source CWE mapping
Missing Authorization
Missing Authorization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.