CVE-2026-29782
Received Received - Intake
Unrestricted Unserialize in OpenSTAManager oauth2.php Enables RCE

Publication date: 2026-04-02

Last updated on: 2026-04-07

Assigner: GitHub, Inc.

Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29782
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devcode openstamanager to 2.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29782 is a critical Remote Code Execution (RCE) vulnerability in OpenSTAManager caused by insecure deserialization in its OAuth2 implementation.

The vulnerability arises because the oauth2.php endpoint is unauthenticated and accepts a GET parameter 'state' that is attacker-controlled. This parameter is used to load a record from the zz_oauth2 database table.

During the OAuth2 configuration flow, the application calls PHP's unserialize() function on the access_token field of this record without restricting which classes can be instantiated. This allows an attacker who can inject malicious serialized PHP objects into the access_token field to execute arbitrary code on the server.

The exploit chain requires the attacker to first inject a malicious payload into the database via an unrelated SQL injection vulnerability, then trigger the deserialization by making an unauthenticated request to oauth2.php.

The vulnerability has been patched by restricting unserialize() to only allow deserialization of the AccessToken class.

Impact Analysis

This vulnerability can have severe impacts including full remote code execution on the server running OpenSTAManager.

  • Confidentiality: An attacker can read sensitive files, database credentials, and API keys.
  • Integrity: The attacker can write files, install backdoors, and modify application code.
  • Availability: The attacker can delete files or cause denial of service.

Since the code execution happens as the web server user (www-data), the attacker can also move laterally within the network and escalate the attack further.

Detection Guidance

This vulnerability can be detected by monitoring for unauthenticated HTTP GET requests to the oauth2.php endpoint with a state parameter, which triggers deserialization of potentially malicious payloads.

To detect exploitation attempts, you can look for unusual or unexpected requests to oauth2.php, especially those including the state parameter.

Additionally, monitoring for error logs indicating PHP errors related to method calls on invalid objects (such as calls to non-existent methods on deserialized objects) may indicate exploitation attempts.

  • Use web server access logs to search for requests to oauth2.php with GET parameters: `grep 'oauth2.php' /var/log/apache2/access.log` or equivalent.
  • Look for suspicious state parameter values that could be attacker-controlled: `grep 'state=' /var/log/apache2/access.log`.
  • Check PHP error logs for errors related to deserialization or method calls on unexpected objects: `grep -i 'unserialize' /var/log/php_errors.log` or `grep -i 'Fatal error' /var/log/php_errors.log`.

If you have database access, you can query the zz_oauth2 table for suspicious or unexpected serialized data in the access_token field.

Mitigation Strategies

Immediate mitigation steps include upgrading OpenSTAManager to version 2.10.2 or later, where the vulnerability has been patched by restricting the classes allowed during deserialization.

If upgrading is not immediately possible, restrict or avoid the use of PHP's unserialize() function on untrusted data, especially on the access_token field in the OAuth2 implementation.

Fix the underlying arbitrary SQL injection vulnerability in the Aggiornamenti module to prevent attackers from injecting malicious serialized payloads into the zz_oauth2 database table.

Implement proper authentication and authorization checks on the oauth2.php endpoint to prevent unauthenticated access.

Monitor and restrict database write access to trusted users only to prevent unauthorized modifications.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary code on the server, potentially leading to unauthorized access to sensitive data, modification of application code, and disruption of service.

Such unauthorized access and potential data breaches could violate compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive information, integrity of systems, and availability of services.

Specifically, the attacker can read sensitive server files, database credentials, and API keys, which may include personal data protected under these regulations, thus risking confidentiality breaches.

The ability to modify files and install backdoors also threatens data integrity and system trustworthiness, while denial of service impacts availability, all of which are critical compliance factors.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart