Platform
php
Component
devcode-it/openstamanager
Fixed in
2.10.3
2.10.2
CVE-2026-29782 is a Remote Code Execution (RCE) vulnerability affecting OpenSTAManager versions up to v2.9.8. This vulnerability stems from an unauthenticated endpoint (oauth2.php) that utilizes unserialize() on attacker-controlled data without proper class restrictions. Successful exploitation allows an attacker to execute arbitrary code on the server, potentially leading to complete system compromise. A fix is available in version 2.10.2.
The impact of CVE-2026-29782 is significant due to its unauthenticated nature and the potential for remote code execution. An attacker can exploit this vulnerability by crafting a malicious OAuth2 request, leveraging the state parameter to inject serialized PHP objects. Crucially, the unserialize() function lacks class restriction, allowing the attacker to execute arbitrary code. This could lead to data breaches, system takeover, and further lateral movement within the network. The vulnerability's reliance on the zz_oauth2 table makes it particularly concerning, as an attacker who can write to this table (e.g., through a previously reported SQL injection vulnerability) can easily trigger the RCE. This is similar to other unserialize() vulnerabilities where attackers can inject malicious objects to gain control of the application.
CVE-2026-29782 was publicly disclosed on 2026-04-01. The vulnerability is linked to a previous SQL injection vulnerability (GHSA-2fr7-cc4f-wh98) which allows attackers to write to the zz_oauth2 table, making exploitation easier. The EPSS score is likely to be medium, given the ease of exploitation once the prerequisite SQL injection is present and the potential for significant impact. No public proof-of-concept exploits have been observed as of this writing, but the vulnerability's nature makes it a likely target for exploitation.
Exploit Status
EPSS
0.11% (29% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-29782 is to upgrade OpenSTAManager to version 2.10.2 or later, which contains the fix. If upgrading immediately is not possible, consider implementing temporary workarounds. Restricting write access to the zz_oauth2 table can significantly reduce the attack surface. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious serialized data in the state parameter. Carefully review and restrict the allowed classes for unserialize() if feasible, although this may impact legitimate OAuth2 functionality. Monitor access logs for unusual activity related to the oauth2.php endpoint. After upgrading, confirm the fix by attempting to trigger the OAuth2 flow with a crafted payload and verifying that the unserialize() function is properly restricted.
Update OpenSTAManager to version 2.10.2 or higher. This version fixes the insecure deserialization vulnerability in the OAuth2 endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-29782 is a Remote Code Execution vulnerability in OpenSTAManager versions up to v2.9.8, allowing unauthenticated attackers to execute arbitrary code via a crafted OAuth2 request.
You are affected if you are running OpenSTAManager versions prior to 2.10.2 and have not implemented mitigating controls.
Upgrade OpenSTAManager to version 2.10.2 or later. As a temporary workaround, restrict write access to the zz_oauth2 table and implement WAF rules.
While no public exploits have been confirmed, the vulnerability's ease of exploitation makes it a likely target for attackers.
Refer to the OpenSTAManager security advisories on their GitHub repository: https://github.com/devcode-it/openstamanager/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.