CVE-2026-28516
published 2026-02-27CVE-2026-28516: openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.97%
57.5th percentile
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opendcim | opendcim | <= 23.04 | — |
| opendcim | opendcim | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandSQL injection via LDAP configuration form to overwrite Graphviz dot binary path in fac_Config↗
- →Monitor HTTP POST/GET requests to install.php and container-install.php on openDCIM deployments; these endpoints should not be accessible post-installation and any traffic to them is suspicious. ↗
- →The exploit chain requires exactly five HTTP requests to achieve RCE and spawn a reverse shell; correlate sequences of rapid requests across install.php and report_network_map.php from the same source IP. ↗
- →Flag modifications to the fac_Config table's Graphviz dot binary path column in the openDCIM database, as the exploit overwrites this value to achieve command injection. ↗
- ·The SQL injection vulnerability is exploitable by authenticated users in standard deployments; however, in Docker deployments where REMOTE_USER is set without authentication enforcement, install.php may be reachable without credentials. ↗
- ·The vulnerability affects openDCIM version 23.04 through commit 4467e9c4; the Metasploit module confirms the range extends through version 25.01 on Ubuntu with Apache. ↗
- ·Full RCE via the exploit chain depends on the presence of the Graphviz dot binary path being configurable in fac_Config and report_network_map.php being accessible; the exploit restores the original config after payload delivery. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/https://github.com/Chocapikk/opendcim-exploithttps://github.com/opendcim/openDCIM/blob/4467e9c4/config.inc.php#L75-L90https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434https://github.com/opendcim/openDCIM/pull/1664https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09https://www.vulncheck.com/advisories/opendcim-sql-injection-in-config-updateparameter
2026-02-27
Published