openDCIM Install and Config Poisoning RCE Chain (CVE-2026-28515 / CVE-2026-28517)

Severity Assessment

• Exploitability: 8/10 — NVD scores CVE-2026-28517 as network exploitable with low complexity and no privileges required when the configuration value can be modified.
• Impact: 9/10 — Successful chaining can execute commands in the web server process context and expose data center infrastructure management data.
• Weaponization Risk: 8/10 — Public research includes a working exploit path and automated proof of concept, but available primary sources do not confirm a named actor or victim set.
• Patch Urgency: 8/10 — Defenders should treat reachable openDCIM deployments as high risk until access controls and vulnerable code paths are corrected.
• Detection Coverage: 5/10 — Web and database activity may reveal the chain, but the public proof of concept includes configuration backup and restoration behavior that can reduce simple database-artifact visibility.

Summary

CVE-2026-28515 and CVE-2026-28517 form the public endpoints of an openDCIM remote-code-execution chain disclosed by Valentin Lobstein. NVD describes CVE-2026-28515 as missing authorization in install.php and container-install.php, where LDAP configuration functionality can be reached without enforcing openDCIM application role checks. In deployments where REMOTE_USER is set without real authentication enforcement, the endpoint may be reachable without credentials.

The command-execution sink is CVE-2026-28517. NVD describes it as OS command injection in report_network_map.php, where openDCIM reads the dot configuration parameter from the database and passes it to exec() without validation or sanitization. The public chain uses the install handler to change configuration and then triggers the network-map report so the altered dot value is executed.

The disclosure also describes CVE-2026-28516, a SQL injection in Config::UpdateParameter, as the bridge between the install/configuration surface and the command-injection sink. Available sources support the vulnerability chain and proof-of-concept behavior. They do not establish broad active exploitation, a threat actor, or confirmed victim counts.

Exploit Chain

Stage 1: Reach the Install or Upgrade Handler

An attacker reaches openDCIM’s install.php or Docker-linked container-install.php upgrade handler. NVD describes CVE-2026-28515 as missing authorization in those handlers, allowing LDAP configuration modification by any authenticated user and possible unauthenticated access where REMOTE_USER is set without authentication enforcement.

Stage 2: Abuse LDAP Configuration Writes

The public analysis states that LDAP configuration form fields flow into Config::UpdateParameter. CVE-2026-28516 covers the SQL injection condition in that update path, where unsanitized request values are interpolated into SQL statements.

Stage 3: Poison the dot Configuration Value

Using the SQL injection bridge, an attacker can change the stored fac_Config.dot value. That value is intended to point to the Graphviz dot binary used by the network-map report.

Stage 4: Trigger Command Execution

The attacker requests the network-map report path. NVD describes CVE-2026-28517 as direct use of the database-backed dot parameter in an exec() call without validation or sanitization. If the stored value has been replaced with a command payload, the web server process executes it.

Stage 5: Optional Configuration Restoration

The public proof of concept describes backing up configuration values before poisoning them and restoring those values afterward. That behavior can make simple configuration-drift checks less reliable as the only detection method.

Detection Guidance

Network and application logging:

• Review access logs for unexpected requests to install.php, container-install.php, and report_network_map.php.
• Alert when non-admin users access install or upgrade functionality after initial deployment.
• Correlate LDAP configuration form submissions with subsequent network-map report requests from the same source.

Database and configuration monitoring:

• Monitor changes to fac_Config values, especially dot, snmpwalk, cut, and LDAP-related parameters.
• Alert when the dot value differs from the expected Graphviz binary path or contains shell metacharacters, inline commands, pipes, redirection, or encoded payload fragments.
• Preserve database audit logs where possible, because the public chain may restore modified configuration values after execution.

Host monitoring:

• Watch the web server process for unexpected child processes, shell execution, outbound network connections, and writes under temporary graph-output paths.
• Review command execution telemetry from the user context that runs the PHP application, commonly the web server account.
• Treat unexplained reverse-shell callbacks or command output artifacts after report generation as high-priority evidence.

Indicators of Compromise

Network and request indicators:

• Requests to install.php or container-install.php with ldapaction=Set outside planned maintenance.
• Requests to report_network_map.php shortly after LDAP configuration changes.
• Repeated install-handler submissions followed by network-map report retrieval.

Configuration indicators:

• Unexpected fac_Config.dot values.
• Short-lived changes to dot, LDAP configuration fields, or backup-like tables created during the same request window.
• Configuration values containing shell wrappers, command separators, redirection, encoded payloads, or reverse-shell syntax.

Attribution:

• Threat actor: Unknown
• Confidence basis: Public sources describe vulnerability mechanics and proof-of-concept exploitation, but do not identify an operator or confirmed victim set.

Disclosure Timeline

2026-02-26 — Public Research Published

Valentin Lobstein published the openDCIM install/config poisoning chain analysis and proof-of-concept details.

2026-02-27 — CVEs Published

NVD published entries for CVE-2026-28515, CVE-2026-28516, and CVE-2026-28517.

2026-03-10 — NVD Metadata Updated for Authorization and SQL Injection Issues

NVD later modified the CVE-2026-28515 and CVE-2026-28516 records after publication.

2026-05-12 — NVD Metadata Updated for Command Injection Issue

NVD modified the CVE-2026-28517 record after enrichment, retaining the command-injection description for report_network_map.php.

Sources & References

• Chocapikk: openDCIM: From SQL Injection to RCE via Config Poisoning — Chocapikk, 2026-02-26
• National Vulnerability Database: CVE-2026-28515 — National Vulnerability Database, 2026-02-27
• National Vulnerability Database: CVE-2026-28517 — National Vulnerability Database, 2026-02-27
• GitHub: openDCIM project repository — GitHub, 2026-06-05