CVE-2026-27012
published 2026-03-03CVE-2026-27012: OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.1th percentile
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devcode-it | openstamanager | <= 2.9.8 | — |
| devcode-it | openstamanager | 0 – 2.9.8 | — |
| devcode | openstamanager | <= 2.9.8 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor unauthenticated or low-privileged HTTP requests directly targeting modules/utenti/actions.php, especially those containing the 'idgruppo' parameter, which indicates an attempt to change a user's group assignment. ↗
- →Alert on any modification of a user's group to the 'Amministratori' group originating from non-administrative sessions, as exploitation promotes arbitrary accounts to the administrator group. ↗
- ·The vulnerability affects OpenSTAManager version 2.9.8 and earlier; no fix was available as of the publication date (March 3, 2026). Ensure the affected endpoint modules/utenti/actions.php is access-controlled or blocked at the web server/WAF level until a patch is released. ↗
- ·A public exploit exists for this CVE (CVSS 9.8 Critical), increasing the urgency of detection and mitigation for any internet-exposed OpenSTAManager instances. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
ghsa·2026-03-03
CVE-2026-27012 [CRITICAL] CWE-306 OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
### Summary
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
### Details
`modules/utenti/actions.php` is reachable directly via `http://:8080/modules/utenti/actions.php` and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the adm
OSV
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
osv·2026-03-03
CVE-2026-27012 [CRITICAL] OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
### Summary
A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
### Details
`modules/utenti/actions.php` is reachable directly via `http://:8080/modules/utenti/actions.php` and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the adm
No detection rules found.
No public exploits indexed.
2026-03-03
Published