CVE-2026-24891
📋 TL;DR
CVE-2026-24891 is an unsafe deserialization vulnerability in openITCOCKPIT monitoring tool that allows PHP Object Injection when untrusted systems can submit Gearman job payloads. This affects versions 5.3.1 and below, potentially enabling remote code execution or other malicious actions. Organizations with exposed Gearman services or misconfigured deployments are at risk.
💻 Affected Systems
- openITCOCKPIT
📦 What is this software?
Openitcockpit by It Novum
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the monitoring infrastructure.
Likely Case
PHP object injection leading to arbitrary code execution within the worker process context, potentially compromising the monitoring system.
If Mitigated
No impact if Gearman service is properly isolated and only accepts jobs from trusted internal components.
🎯 Exploit Status
Exploitation requires network access to Gearman service (TCP/4730) and ability to submit crafted serialized payloads. No authentication needed if service is exposed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.4.0
Vendor Advisory: https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-x4mq-8gfg-frc4
Restart Required: Yes
Instructions:
1. Backup your openITCOCKPIT installation and database. 2. Download version 5.4.0 from GitHub releases. 3. Follow the official upgrade guide for your deployment method (Docker, manual, etc.). 4. Restart all openITCOCKPIT services including Gearman workers.
🔧 Temporary Workarounds
Restrict Gearman Network Access
linuxConfigure Gearman service to only listen on localhost or trusted interfaces and implement network access controls.
Edit Gearman configuration to set --listen=127.0.0.1:4730
Configure firewall rules: iptables -A INPUT -p tcp --dport 4730 -s trusted_ip_range -j ACCEPT
iptables -A INPUT -p tcp --dport 4730 -j DROP
Implement Network Segmentation
allIsolate Gearman service in a protected network segment with strict access controls.
🧯 If You Can't Patch
- Implement strict network access controls to restrict Gearman service (TCP/4730) to only trusted systems.
- Deploy application-level filtering or proxy that validates and sanitizes Gearman job payloads before they reach the vulnerable worker.
🔍 How to Verify
Check if Vulnerable:
Check openITCOCKPIT version and verify if Gearman service is accessible from untrusted networks. Use: php -r "echo version_compare('5.3.1', '5.4.0', '<') ? 'VULNERABLE' : 'PATCHED';"Check Version:
Check web interface admin panel or run: grep "version" /path/to/openitcockpit/config/version.phpVerify Fix Applied:
Verify version is 5.4.0 or higher and check that Gearman worker no longer uses unsafe unserialize() on untrusted payloads.📡 Detection & Monitoring
Log Indicators:
- Unusual Gearman job submissions from unexpected sources
- PHP errors related to unserialize() or object injection
- Abnormal process execution from Gearman worker context
Network Indicators:
- Unexpected connections to TCP/4730 from untrusted IPs
- Large or malformed payloads sent to Gearman service
SIEM Query:
source="gearman.log" AND (dest_port=4730 AND src_ip NOT IN [trusted_ips]) OR (message="*unserialize*" OR message="*__destruct*")