Executive Summary

CVE-2026-27895 is a vulnerability in the LDAP Account Manager (LAM) software, specifically in versions up to 9.4. The issue lies in the PDF export component, which does not properly validate uploaded file extensions due to an incorrect regular expression. This flaw allows attackers to upload files of any type, including potentially dangerous files such as .php scripts.

This vulnerability can be exploited by users with access to the admin UI or configuration import functionality, enabling them to upload arbitrary files to the server. When combined with another vulnerability (GHSA-w7xq-vjr3-p9cf), it can lead to remote code execution with the privileges of the web server user.

The issue is fixed in LAM version 9.5, and a recommended workaround is to make the directory /var/lib/ldap-account-manager/config read-only for the web server user.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with low privileges and no user interaction to upload arbitrary files, including executable PHP scripts, to the server running LDAP Account Manager.

If exploited in combination with another vulnerability, it can lead to remote code execution with the privileges of the web server user, potentially allowing the attacker to execute malicious code on the server.

The impact includes a low integrity impact if exploited alone, but when chained with the related vulnerability, it can have a high impact on confidentiality, integrity, and availability of the system.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'Detection of this vulnerability involves identifying if your LDAP Account Manager (LAM) installation is running a vulnerable version (up to and including 9.4) and if the PDF export component is accessible to users.'}, {'type': 'paragraph', 'content': 'You can check the installed LAM version by running commands such as:'}, {'type': 'list_item', 'content': 'grep -i version /path/to/lam/version or checking the version in the admin UI.'}, {'type': 'list_item', 'content': 'Look for the presence of the PDF export functionality and verify if users have access to the admin UI or configuration import features.'}, {'type': 'paragraph', 'content': 'Additionally, monitoring web server logs for suspicious file upload attempts, especially uploads of files with extensions like .php, can help detect exploitation attempts.'}, {'type': 'paragraph', 'content': 'Since the vulnerability allows uploading arbitrary file types, commands to find recently uploaded suspicious files might include:'}, {'type': 'list_item', 'content': 'find /var/lib/ldap-account-manager/config -type f -name "*.php" -ls'}, {'type': 'list_item', 'content': 'grep -i "upload" /var/log/apache2/access.log or equivalent web server logs to detect unusual upload activity.'}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The recommended immediate mitigation is to upgrade LDAP Account Manager (LAM) to version 9.5, which contains a fix for this vulnerability.

If upgrading is not immediately possible, a workaround is to make the directory /var/lib/ldap-account-manager/config read-only for the web server user to prevent uploading or modifying files in that directory.

Additionally, deleting PDF profile files disables the PDF export functionality, further reducing the attack surface.

These steps help prevent attackers from uploading arbitrary files or exploiting the vulnerability to achieve remote code execution.

Useful 0 Not Useful 0