CVE-2026-27760 Overview
CVE-2026-27760 is a critical PHP code injection vulnerability affecting OpenCATS prior to commit 3002a29. The vulnerability exists in the installer AJAX endpoint and allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
Critical Impact
Unauthenticated remote code execution allowing complete server compromise through persistent PHP code injection that executes on every page load.
Affected Products
- OpenCATS versions prior to commit 3002a29
- OpenCATS installations with incomplete installation wizard
- OpenCATS instances where INSTALL_BLOCK file does not exist
Discovery Timeline
- 2026-04-28 - CVE-2026-27760 published to NVD
- 2026-04-28 - Last updated in NVD database
Technical Details for CVE-2026-27760
Vulnerability Analysis
This vulnerability represents a classic PHP code injection attack (CWE-94) targeting the OpenCATS applicant tracking system. The root issue stems from insufficient input sanitization in the installer's AJAX endpoint, specifically within the databaseConnectivity action handler. When processing database configuration parameters, the application directly concatenates user-supplied input into PHP define() statements written to config.php without proper escaping.
The attack surface is particularly dangerous because it targets the installation wizard, which by design accepts unauthenticated requests. Once malicious PHP code is injected into the configuration file, it achieves persistence and executes on every subsequent page load, providing attackers with a reliable foothold for further exploitation.
Root Cause
The vulnerability originates in the modules/install/ajax/ui.php file where database configuration parameters are processed. The original code used simple string concatenation to build PHP configuration values:
CATSUtility::changeConfigSetting('DATABASE_USER', "'" . $_REQUEST['user'] . "'");
This approach fails to sanitize input containing single quotes, allowing attackers to escape the string context and inject arbitrary PHP statements. The CATSUtility::changeConfigSetting() function in lib/CATSUtility.php then writes these unsanitized values directly to config.php.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP requests to the installer AJAX endpoint with malicious payloads in the database configuration parameters (user, pass, host, or name). By including a single quote followed by a semicolon and PHP code, the attacker can break out of the define() statement and inject code that will be written to config.php and executed persistently.
The security patch addresses this vulnerability in two ways. First, it restricts AJAX requests during installation to only allow installer-specific actions in ajax.php:
$installerActive = (!file_exists('INSTALL_BLOCK'));
if ($installerActive)
{
$module = '';
if (strpos($_REQUEST['f'], ':') !== false)
{
$parameters = explode(':', $_REQUEST['f']);
$module = preg_replace("/[^A-Za-z0-9]/", "", $parameters[0]);
}
if ($module !== 'install')
{
header('Content-type: text/xml');
echo '<?xml version="1.0" encoding="', AJAX_ENCODING, '"?>', "\n";
echo(
"<data>\n" .
" <errorcode>-1</errorcode>\n" .
" <errormessage>Installer is active. Only installer AJAX actions are allowed.</errormessage>\n" .
"</data>\n"
);
die();
}
}
Source: GitHub Commit Update
Second, the patch replaces unsafe string concatenation with var_export() for proper escaping in modules/install/ajax/ui.php:
if (isset($_REQUEST['user']) && !empty($_REQUEST['user']))
{
CATSUtility::changeConfigSetting('DATABASE_USER', var_export($_REQUEST['user'], true));
}
if (isset($_REQUEST['pass']) && $_REQUEST['pass'] !== '')
{
CATSUtility::changeConfigSetting('DATABASE_PASS', var_export($_REQUEST['pass'], true));
}
if (isset($_REQUEST['host']) && !empty($_REQUEST['host']))
{
CATSUtility::changeConfigSetting('DATABASE_HOST', var_export($_REQUEST['host'], true));
}
if (isset($_REQUEST['name']) && !empty($_REQUEST['name']))
{
CATSUtility::changeConfigSetting('DATABASE_NAME', var_export($_REQUEST['name'], true));
}
Source: GitHub Commit Update
Detection Methods for CVE-2026-27760
Indicators of Compromise
- Unexpected modifications to config.php containing PHP code beyond standard define() statements
- Web server logs showing repeated POST requests to /modules/install/ajax/ui.php with unusual parameter values
- Presence of PHP web shells or backdoor code in configuration files
- Execution of unexpected PHP code on page loads, observable through process monitoring
Detection Strategies
- Monitor file integrity of config.php and alert on unauthorized modifications
- Implement web application firewall (WAF) rules to detect single quote injection attempts in installer endpoints
- Audit HTTP request logs for access to installer AJAX endpoints from unexpected sources
- Deploy endpoint detection to identify unauthorized PHP process execution
Monitoring Recommendations
- Enable file integrity monitoring on all OpenCATS configuration files
- Configure alerts for access attempts to installation endpoints on production systems
- Monitor for outbound network connections initiated by the web server process
- Review PHP error logs for syntax errors that may indicate injection attempts
How to Mitigate CVE-2026-27760
Immediate Actions Required
- Update OpenCATS to commit 3002a29 or later immediately
- Create an INSTALL_BLOCK file in the OpenCATS root directory to disable the installer
- Review config.php for any injected malicious code and restore from a known-good backup if compromised
- Restrict network access to the OpenCATS installation endpoints using firewall rules
Patch Information
The vulnerability has been addressed in OpenCATS commit 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6. The fix implements two key security improvements: restricting AJAX functionality during installation mode to only allow installer-specific actions, and replacing unsafe string concatenation with var_export() to properly escape user input before writing to configuration files. Organizations should update to this commit or any subsequent release that includes this patch. For detailed information, see the GitHub Pull Request Discussion and the VulnCheck Advisory on OpenCATS.
Workarounds
- Create an empty INSTALL_BLOCK file in the OpenCATS root directory to disable installer functionality
- Configure web server rules to deny access to /modules/install/ directory from external networks
- Implement network segmentation to restrict access to OpenCATS administrative endpoints
- Use a web application firewall to block requests containing PHP code patterns in installer parameters
# Configuration example
# Create INSTALL_BLOCK file to disable installer
touch /var/www/opencats/INSTALL_BLOCK
chmod 644 /var/www/opencats/INSTALL_BLOCK
# Block access to installer via Apache .htaccess
echo '<Directory "/var/www/opencats/modules/install">
Require all denied
</Directory>' >> /etc/apache2/sites-available/opencats.conf
# Or via Nginx
# location /modules/install {
# deny all;
# return 403;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
