CVE-2026-29782
Unrestricted Unserialize in OpenSTAManager oauth2.php Enables RCE
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devcode | openstamanager | to 2.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary code on the server, potentially leading to unauthorized access to sensitive data, modification of application code, and disruption of service.
Such unauthorized access and potential data breaches could violate compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive information, integrity of systems, and availability of services.
Specifically, the attacker can read sensitive server files, database credentials, and API keys, which may include personal data protected under these regulations, thus risking confidentiality breaches.
The ability to modify files and install backdoors also threatens data integrity and system trustworthiness, while denial of service impacts availability, all of which are critical compliance factors.
Can you explain this vulnerability to me?
CVE-2026-29782 is a critical Remote Code Execution (RCE) vulnerability in OpenSTAManager caused by insecure deserialization in its OAuth2 implementation.
The vulnerability arises because the oauth2.php endpoint is unauthenticated and accepts a GET parameter 'state' that is attacker-controlled. This parameter is used to load a record from the zz_oauth2 database table.
During the OAuth2 configuration flow, the application calls PHP's unserialize() function on the access_token field of this record without restricting which classes can be instantiated. This allows an attacker who can inject malicious serialized PHP objects into the access_token field to execute arbitrary code on the server.
The exploit chain requires the attacker to first inject a malicious payload into the database via an unrelated SQL injection vulnerability, then trigger the deserialization by making an unauthenticated request to oauth2.php.
The vulnerability has been patched by restricting unserialize() to only allow deserialization of the AccessToken class.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full remote code execution on the server running OpenSTAManager.
- Confidentiality: An attacker can read sensitive files, database credentials, and API keys.
- Integrity: The attacker can write files, install backdoors, and modify application code.
- Availability: The attacker can delete files or cause denial of service.
Since the code execution happens as the web server user (www-data), the attacker can also move laterally within the network and escalate the attack further.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthenticated HTTP GET requests to the oauth2.php endpoint with a state parameter, which triggers deserialization of potentially malicious payloads.
To detect exploitation attempts, you can look for unusual or unexpected requests to oauth2.php, especially those including the state parameter.
Additionally, monitoring for error logs indicating PHP errors related to method calls on invalid objects (such as calls to non-existent methods on deserialized objects) may indicate exploitation attempts.
- Use web server access logs to search for requests to oauth2.php with GET parameters: `grep 'oauth2.php' /var/log/apache2/access.log` or equivalent.
- Look for suspicious state parameter values that could be attacker-controlled: `grep 'state=' /var/log/apache2/access.log`.
- Check PHP error logs for errors related to deserialization or method calls on unexpected objects: `grep -i 'unserialize' /var/log/php_errors.log` or `grep -i 'Fatal error' /var/log/php_errors.log`.
If you have database access, you can query the zz_oauth2 table for suspicious or unexpected serialized data in the access_token field.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OpenSTAManager to version 2.10.2 or later, where the vulnerability has been patched by restricting the classes allowed during deserialization.
If upgrading is not immediately possible, restrict or avoid the use of PHP's unserialize() function on untrusted data, especially on the access_token field in the OAuth2 implementation.
Fix the underlying arbitrary SQL injection vulnerability in the Aggiornamenti module to prevent attackers from injecting malicious serialized payloads into the zz_oauth2 database table.
Implement proper authentication and authorization checks on the oauth2.php endpoint to prevent unauthenticated access.
Monitor and restrict database write access to trusted users only to prevent unauthorized modifications.