CVE-2026-45776
Authorization Bypass in OpenXDMoD via Session Variable
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openxdmod | openxdmod | to 11.0.3 (exc) |
| ubccr | open_xdmod | to 11.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Open XDMoD prior to version 11.0.3 and involves a flaw in the access control logic. An attacker can submit a specially crafted HTTPS POST request that sets a session variable used for authorization decisions.
If the optional Job Performance (SUPReMM) module is installed, this flaw allows the attacker to bypass intended data access restrictions and view other users' compute job efficiency metrics.
How can this vulnerability impact me? :
The primary impact of this vulnerability is on confidentiality. An attacker with network access and low privileges can exploit this flaw to gain unauthorized access to sensitive data, specifically other users' compute job efficiency metrics.
This could lead to exposure of sensitive performance data that was intended to be restricted, potentially compromising privacy and competitive information within HPC environments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker submitting a crafted HTTPS POST request that sets a session variable used for authorization decisions in Open XDMoD installations with the optional Job Performance (SUPReMM) module.
To detect this vulnerability on your network or system, you should monitor HTTPS POST requests to the Open XDMoD server for unusual or crafted session variable manipulations, especially those targeting authorization mechanisms.
Specific commands are not provided in the available resources. However, general approaches could include inspecting web server logs for suspicious POST requests, using network monitoring tools like Wireshark or tcpdump to capture HTTPS traffic (if decrypted), or employing web application firewalls (WAF) to detect anomalous POST requests.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate step to mitigate this vulnerability is to upgrade Open XDMoD to version 11.0.3 or later, where the vulnerability has been patched.
If upgrading immediately is not possible, a manual patch can be applied as a temporary workaround. This patch removes certain PHP files and restricts operations to users with the STATUS_MANAGER_ROLE privilege, thereby enforcing stricter role-based access control.
Additionally, monitoring and restricting access to the affected modules and ensuring that only authorized users have access can help reduce risk until the patch or upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to bypass intended data access restrictions and view other users' compute job efficiency metrics, impacting the confidentiality of sensitive data.
Unauthorized access to sensitive user data can lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
Therefore, if exploited, this vulnerability could result in violations of these standards by exposing protected data to unauthorized parties.