CVE-2026-24891
Awaiting Analysis Awaiting Analysis - Queue
PHP Object Injection via Unsafe Deserialization in openITCOCKPIT Gearman Worker

Publication date: 2026-02-20

Last updated on: 2026-02-24

Assigner: GitHub, Inc.

Description
openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. Versions 5.3.1 and below contain an unsafe deserialization sink in the Gearman worker implementation. The worker function registered as oitc_gearman calls PHP's unserialize() on job payloads without enforcing class restrictions or validating data origin. While the intended deployment assumes only trusted internal components enqueue Gearman jobs, this trust boundary is not enforced in application code. In environments where the Gearman service or worker is exposed to untrusted systems, an attacker may submit crafted serialized payloads to trigger PHP Object Injection in the worker process. This vulnerability is exploitable when Gearman listens on non-local interfaces, network access to TCP/4730 is unrestricted, or untrusted systems can enqueue jobs. Default, correctly hardened deployments may not be immediately exploitable, but the unsafe sink remains present in code regardless of deployment configuration. Enforcing this trust boundary in code would significantly reduce risk and prevent exploitation in misconfigured environments. This issue has been fixed in version 5.4.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-02-24
Generated
2026-05-07
AI Q&A
2026-02-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-24891
EUVD
EUVD-2026-8363
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
it-novum openitcockpit to 5.4.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-24891 is a high-severity vulnerability in openITCOCKPIT Community Edition version 5.3.1 and below, specifically in its Gearman Worker component (oitc_gearman). The issue arises because the worker function uses PHP's unserialize() on job payloads without validating the data or restricting allowed classes. This unsafe deserialization allows an attacker, if they can submit crafted serialized payloads to the Gearman worker, to perform PHP Object Injection."}, {'type': 'paragraph', 'content': 'The vulnerability occurs when the Gearman service or worker is exposed to untrusted systems, such as when it listens on non-local interfaces or when network access to TCP port 4730 is unrestricted. An attacker can exploit this by sending malicious serialized data that triggers execution of arbitrary PHP code, potentially leading to remote code execution.'}, {'type': 'paragraph', 'content': 'The root cause is the direct use of unserialize() on externally supplied data without enforcing class restrictions or validating the origin of the data. This unsafe sink exists in multiple code locations and relies on deployment-level trust assumptions that are not enforced in code.'}] [1]


How can this vulnerability impact me? :

This vulnerability can have severe impacts including remote code execution on the server running the Gearman worker. An attacker can instantiate arbitrary PHP objects, triggering magic methods that may modify the file system, disclose credentials, or persistently compromise the worker environment.

The CVSS v3.1 base score of 7.5 reflects high confidentiality, integrity, and availability impacts. Exploitation requires network access to the Gearman service, but once exploited, it can lead to full system compromise, unauthorized access, and potential disruption of monitoring services.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if the Gearman service or worker component of openITCOCKPIT is exposed to untrusted networks or if it listens on non-local interfaces, especially on TCP port 4730.

You can verify if the Gearman service is listening on network interfaces accessible from untrusted sources by running commands such as:

  • netstat -tulnp | grep 4730
  • ss -tuln | grep 4730
  • lsof -i :4730

Additionally, checking the openITCOCKPIT version can help determine if the vulnerable version (5.3.1 or below) is in use:

  • openITCOCKPIT --version

Since the vulnerability arises from unsafe PHP unserialize() calls in the Gearman worker, reviewing the code or logs for unserialize() usage on job payloads without validation may also help detect the issue.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting network access to the Gearman service to trusted internal components only.

  • Configure the Gearman service to listen only on localhost or private network interfaces, avoiding exposure to untrusted or multi-tenant networks.
  • Enforce strict firewall rules to block external access to TCP port 4730.
  • Avoid allowing untrusted systems to enqueue jobs to the Gearman worker.

At the code level, upgrading to openITCOCKPIT version 5.4.0 or later is recommended, as this version contains fixes that replace unsafe unserialize() calls with safer alternatives using allowed_classes restrictions and better validation.

Additionally, consider validating the origin and structure of serialized payloads or switching to safer IPC formats like JSON.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart