CVE-2026-28515 CRITICAL

CVE-2026-28515: openDCIM <= 23.04 Missing Authorization in install.php

Vendor Opendcim

Product openDCIM

Weakness CWE-862 · Missing authorization

Published February 27, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.

Key dates

Disclosure timeline

February 27, 2026 CVE published

May 11, 2026 Record updated