CVE-2026-28516 Overview
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database, potentially leading to complete database compromise, data exfiltration, or remote code execution.
Critical Impact
This SQL injection vulnerability allows authenticated attackers to execute arbitrary SQL statements against the underlying database, potentially enabling data theft, database manipulation, or escalation to remote code execution through database features.
Affected Products
- openDCIM version 23.04
- openDCIM commits up to and including 4467e9c4
Discovery Timeline
- 2026-02-27 - CVE CVE-2026-28516 published to NVD
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2026-28516
Vulnerability Analysis
This vulnerability is classified as CWE-89 (SQL Injection), a critical web application security flaw that occurs when user-controlled input is incorporated into SQL queries without proper sanitization or parameterization. In openDCIM's case, the Config::UpdateParameter function accepts user input that flows through the install.php and container-install.php handlers directly into database queries.
The fundamental issue stems from the use of string interpolation to construct SQL statements rather than using prepared statements with parameterized queries. This architectural flaw allows an authenticated attacker to inject malicious SQL syntax that alters the intended query logic, enabling them to read, modify, or delete database contents, and potentially achieve remote code execution through database-specific features like INTO OUTFILE or user-defined functions.
Root Cause
The root cause of this vulnerability is improper input handling in the Config::UpdateParameter function within openDCIM. The application uses string concatenation or interpolation to build SQL queries, directly embedding user-supplied values without utilizing prepared statements or input sanitization. This violates secure coding best practices for database interaction and creates a direct path for SQL injection attacks.
The vulnerable code paths exist in both install.php and container-install.php, which handle configuration parameter updates. Technical details of the vulnerable code can be reviewed in the GitHub Installation Code Snippet and GitHub Configuration Code Snippet.
Attack Vector
The attack is network-based and requires authentication to the openDCIM application. An authenticated attacker can craft malicious input containing SQL syntax and submit it through the configuration update functionality. The injected SQL payload is then executed against the database with the privileges of the application's database user.
Security researcher Chocapikk has documented how this SQL injection vulnerability can be escalated to remote code execution. For detailed technical analysis, see the SQLi to RCE writeup and the exploit repository.
The vulnerability manifests when user input is passed to the Config::UpdateParameter function without proper sanitization. An attacker can inject SQL statements by manipulating parameter values sent to the install.php or container-install.php endpoints. The malicious SQL is then concatenated into the query string and executed, allowing the attacker to perform unauthorized database operations.
Detection Methods for CVE-2026-28516
Indicators of Compromise
- Unusual SQL error messages in web application logs, particularly from install.php or container-install.php
- Unexpected database queries containing SQL injection patterns (e.g., UNION SELECT, ' OR 1=1, comment sequences like -- or /*)
- Evidence of data exfiltration or unauthorized database access in MySQL/MariaDB query logs
- Web server access logs showing suspicious requests to configuration endpoints with encoded or malformed parameters
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block common SQL injection patterns targeting the install.php and container-install.php endpoints
- Enable database query logging and monitor for anomalous query patterns, particularly those involving system tables or file operations
- Deploy SentinelOne Singularity XDR to detect post-exploitation activities such as database-to-shell pivoting or suspicious file writes
- Configure intrusion detection systems to alert on SQL injection attack signatures in HTTP traffic
Monitoring Recommendations
- Monitor database audit logs for queries executed against system tables (information_schema, mysql.user) or queries containing file operation functions
- Enable web server access logging with full request body capture for the affected endpoints during the remediation period
- Set up alerts for any access to install.php or container-install.php after initial installation, as these should not be accessed in normal operations
How to Mitigate CVE-2026-28516
Immediate Actions Required
- Review your openDCIM installation and identify if you are running version 23.04 or commit 4467e9c4 or earlier
- Apply the security patch from GitHub Pull Request #1664 immediately
- Restrict network access to the openDCIM installation to trusted IP ranges only
- Review database logs for evidence of exploitation and audit database contents for unauthorized modifications
Patch Information
The openDCIM development team has addressed this vulnerability in Pull Request #1664. The fix implements prepared statements with parameterized queries to prevent SQL injection in the Config::UpdateParameter function. The specific code changes can be reviewed in the PR changes commit.
Organizations should update to the latest version of openDCIM that includes this fix. For additional details, see the VulnCheck advisory.
Workarounds
- Remove or rename install.php and container-install.php files if initial installation is complete and these endpoints are no longer needed
- Implement a web application firewall rule to block access to the affected endpoints or filter requests containing SQL injection patterns
- Restrict database user privileges for the openDCIM application to minimum required permissions, preventing FILE privileges and access to system tables
- Place openDCIM behind an authentication proxy or VPN to limit exposure while awaiting patching
# Example: Remove installation files after setup is complete
cd /var/www/opendcim
mv install.php install.php.disabled
mv container-install.php container-install.php.disabled
chmod 000 install.php.disabled container-install.php.disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
