CVE-2026-24892
Unrestricted PHP Object Injection in openITCOCKPIT Risks RCE
Publication date: 2026-02-20
Last updated on: 2026-03-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| it-novum | openitcockpit | to 5.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-24892 is a latent unsafe PHP deserialization vulnerability in openITCOCKPIT Community Edition version 5.3.1 and earlier. It arises from the use of PHP's native unserialize() function on serialized changelog data without restricting allowed classes, which can lead to PHP object injection."}, {'type': 'paragraph', 'content': 'Although no current application endpoint injects PHP objects into this data path, the unrestricted unserialize() call creates a risk that future code changes or plugins could introduce object values, making the vulnerability exploitable.'}, {'type': 'paragraph', 'content': 'If exploited, this vulnerability could allow an attacker to execute arbitrary PHP objects during deserialization, potentially leading to remote code execution (RCE) and full application compromise.'}] [1, 2]
How can this vulnerability impact me? :
If exploited, this vulnerability can have severe impacts including remote code execution, arbitrary file modification, data integrity compromise, and full application compromise.
An attacker could manipulate serialized changelog data to execute malicious PHP code on the server, such as writing a webshell to the webroot, which allows persistent unauthorized access.
The vulnerability is considered high risk due to its potential to allow attackers to take control of the application remotely, even though current exploitability requires direct database manipulation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves unsafe PHP deserialization in openITCOCKPIT's changelog handling, specifically the use of the unserialize() function without restricting allowed classes. Detection involves checking for the presence of vulnerable code patterns and potentially malicious serialized data in the changelog database."}, {'type': 'list_item', 'content': "Inspect the source code for calls to PHP's unserialize() function without the 'allowed_classes' option set to false, especially in files like src/Model/Entity/Changelog.php and src/Controller/ChangelogsController.php."}, {'type': 'list_item', 'content': "Search the changelog database column 'changelogs.data' for suspicious serialized PHP objects that could indicate tampering or exploitation attempts."}, {'type': 'list_item', 'content': 'Use commands to search for unsafe unserialize() usage, for example, in the openITCOCKPIT source directory:'}, {'type': 'list_item', 'content': 'grep -r "unserialize(" /opt/openitc/frontend/src/'}, {'type': 'list_item', 'content': 'Query the database to find changelog entries containing serialized objects (which may indicate exploitation attempts):'}, {'type': 'list_item', 'content': "SELECT * FROM changelogs WHERE data LIKE '%O:%';"}, {'type': 'paragraph', 'content': 'Note that no current application endpoint allows injection of PHP objects into changelog data, so detection may rely on code review and database inspection rather than network traffic analysis.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The immediate mitigation for CVE-2026-24892 is to restrict the PHP unserialize() function to disallow object instantiation by setting the 'allowed_classes' option to false."}, {'type': 'list_item', 'content': "Update all unserialize() calls in the openITCOCKPIT codebase to use: unserialize($data, ['allowed_classes' => false])"}, {'type': 'list_item', 'content': 'Specifically patch files such as src/Model/Entity/Changelog.php, src/Controller/ChangelogsController.php, src/Command/GearmanWorkerCommand.php, and src/itnovum/openITCOCKPIT/Core/System/Gearman.php to enforce this safe deserialization.'}, {'type': 'paragraph', 'content': 'This change prevents PHP object injection by allowing only arrays and scalar types to be deserialized, effectively mitigating the risk of remote code execution.'}, {'type': 'paragraph', 'content': 'Longer-term mitigation includes replacing PHP serialization with safer formats like JSON and treating changelog data as opaque text rather than executable structures.'}] [1, 2]