Login Sign Up

CVE-2026-24892

7.5 HIGH
Deserialization

📋 TL;DR

openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization vulnerability in changelog processing. While no current exploit path exists, the unrestricted unserialize() call creates a latent PHP object injection vulnerability that could become exploitable through future code changes, plugins, or refactors. This affects all users running vulnerable versions of openITCOCKPIT Community Edition.

💻 Affected Systems

Products:
  • openITCOCKPIT Community Edition
Versions: 5.3.1 and earlier
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Community Edition; Enterprise Edition may have different code paths

📦 What is this software?

Openitcockpit by It Novum

View all CVEs affecting Openitcockpit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise if object injection becomes possible through future code changes

🟠

Likely Case

Currently no direct exploitation path exists, but the vulnerability remains latent and could become exploitable with any future modifications to the affected code path

🟢

If Mitigated

No impact if proper input validation and class restrictions are implemented during deserialization

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: NO
Unauthenticated Exploit: ✅ No
Complexity: HIGH

No current exploitation path exists, but the vulnerability is latent and could become exploitable with future code changes

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: openITCOCKPIT-5.4.0

Vendor Advisory: https://github.com/openITCOCKPIT/openITCOCKPIT/security/advisories/GHSA-g83p-vvjm-g39x

Restart Required: Yes

Instructions:

1. Backup your current installation and database. 2. Download openITCOCKPIT-5.4.0 from the official releases. 3. Follow the upgrade instructions in the documentation. 4. Restart the web server and any related services.

🔧 Temporary Workarounds

Input validation wrapper

all

Implement custom validation to sanitize changelog data before deserialization

# Requires code modification - implement proper input validation in changelog processing

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate openITCOCKPIT instances
  • Monitor for unusual activity in changelog processing and PHP execution logs

🔍 How to Verify

Check if Vulnerable:

Check the openITCOCKPIT version in the web interface or by examining the installation directory

Check Version:

grep -r 'APP_VERSION' /path/to/openitcockpit/config/ || check web interface

Verify Fix Applied:

Verify version is 5.4.0 or later and check that the unsafe unserialize() call has been replaced with proper validation

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP deserialization errors
  • Unexpected changelog entries with serialized data
  • PHP object instantiation in changelog context

Network Indicators:

  • Unusual POST requests to changelog endpoints
  • Serialized data in HTTP requests

SIEM Query:

source="openitcockpit_logs" AND ("unserialize" OR "changelog" AND "serialized")

📊 Metadata

CVE ID: CVE-2026-24892
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: February 20, 2026
Last Updated: March 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24892, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)