CVE-2026-38751 Overview
CVE-2026-38751 is an arbitrary file upload vulnerability affecting OpenSTAManager version 2.10 and earlier. The flaw resides in the module update functionality implemented in modules/aggiornamenti/upload_modules.php. Authenticated attackers with high privileges can upload arbitrary files to the server, leading to remote code execution within the application context. The issue is classified under CWE-434: Unrestricted Upload of File with Dangerous Type.
Critical Impact
Successful exploitation grants attackers full control over the application server through arbitrary file upload, compromising confidentiality, integrity, and availability of the OpenSTAManager instance.
Affected Products
- OpenSTAManager version 2.10
- OpenSTAManager versions earlier than 2.10
- Deployments using modules/aggiornamenti/upload_modules.php
Discovery Timeline
- 2026-05-04 - CVE-2026-38751 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2026-38751
Vulnerability Analysis
OpenSTAManager exposes a module update interface that accepts uploaded archives or files used to install or update application modules. The handler in modules/aggiornamenti/upload_modules.php does not enforce sufficient validation on the type or content of the uploaded file. An authenticated attacker holding administrative privileges can submit a crafted payload that places executable code within the web root or within a path served by the PHP interpreter. Once written to disk, the attacker requests the file through the web server and executes arbitrary PHP code with the privileges of the application user.
The issue maps to [CWE-434], which covers unrestricted upload of files with dangerous types. The vulnerability requires network access to the management interface and authenticated high-privilege access. No user interaction is needed once the attacker is authenticated.
Root Cause
The root cause is missing or insufficient server-side validation in the module update handler. The script trusts the uploaded payload during the module installation workflow without verifying file extension, MIME type, content signature, or destination path. This permits PHP scripts and other executable content to be written to a location reachable by the web server.
Attack Vector
The attack vector is network-based. An authenticated administrator account is required to reach the upload endpoint. After authentication, the attacker submits a crafted module package containing a malicious PHP file. The attacker then issues an HTTP request to the uploaded file to trigger code execution. Public proof-of-concept material is referenced in the GitHub PoC Repository, and the project source resides in the OpenSTAManager Repository.
Detection Methods for CVE-2026-38751
Indicators of Compromise
- Unexpected .php, .phtml, or .phar files appearing under module directories such as modules/aggiornamenti/ or any path written by the update routine.
- HTTP POST requests to modules/aggiornamenti/upload_modules.php followed shortly by GET requests to newly created files.
- New administrator sessions originating from unusual IP addresses preceding upload activity.
- Outbound connections from the PHP-FPM or web server process to unfamiliar hosts after a module upload event.
Detection Strategies
- Monitor file integrity on the OpenSTAManager web root and module directories, alerting on creation of executable scripts.
- Inspect web server access logs for sequences combining upload_modules.php POSTs with subsequent direct requests to module files.
- Correlate authentication events with module update activity to flag uploads performed by accounts that do not normally administer modules.
Monitoring Recommendations
- Forward web server, PHP error, and application audit logs to a centralized log platform for retention and correlation.
- Track process lineage on the host to detect web server processes spawning shells, curl, wget, or php interpreters against attacker-controlled files.
- Alert on changes to files under the OpenSTAManager installation outside of approved maintenance windows.
How to Mitigate CVE-2026-38751
Immediate Actions Required
- Upgrade OpenSTAManager to a release later than 2.10 once a fixed version is published by the maintainers.
- Restrict access to the /modules/aggiornamenti/ path and the administrative interface to trusted networks only.
- Audit administrator accounts and rotate credentials, removing accounts that are not strictly required.
- Review module directories for unauthorized files and remove any artifacts that cannot be attributed to a legitimate install.
Patch Information
No vendor patch identifier is listed in the NVD entry at the time of publication. Track the OpenSTAManager Repository for release notes addressing CVE-2026-38751 and apply the fixed version when available.
Workarounds
- Block external access to modules/aggiornamenti/upload_modules.php at the reverse proxy or web application firewall.
- Configure the web server to deny execution of PHP files inside writable upload directories.
- Limit the administrative role to a small number of trusted operators and enforce multi-factor authentication on those accounts.
# Example nginx configuration to block PHP execution in module upload paths
location ~ ^/modules/aggiornamenti/.*\.(php|phtml|phar)$ {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
