CVE-2026-27894 (GCVE-0-2026-27894)
Vulnerability from cvelistv5 – Published: 2026-03-17 23:48 – Updated: 2026-03-18 19:54
VLAI?
Title
LAM has Authenticated Local File Inclusion (LFI) in PDF export
Summary
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).
Severity ?
8.8 (High)
CWE
- CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| LDAPAccountManager | lam |
Affected:
< 9.5
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27894",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-18T19:54:01.110248Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-18T19:54:13.831Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lam",
"vendor": "LDAPAccountManager",
"versions": [
{
"status": "affected",
"version": "\u003c 9.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-98",
"description": "CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T23:51:09.865Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf"
},
{
"name": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8"
},
{
"name": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5"
}
],
"source": {
"advisory": "GHSA-w7xq-vjr3-p9cf",
"discovery": "UNKNOWN"
},
"title": "LAM has Authenticated Local File Inclusion (LFI) in PDF export"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-27894",
"datePublished": "2026-03-17T23:48:06.530Z",
"dateReserved": "2026-02-24T15:19:29.717Z",
"dateUpdated": "2026-03-18T19:54:13.831Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-27894\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-18T00:16:19.607\",\"lastModified\":\"2026-03-18T14:52:44.227\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).\"},{\"lang\":\"es\",\"value\":\"LDAP Account Manager (LAM) es una interfaz web para gestionar entradas (p. ej., usuarios, grupos, configuraciones DHCP) almacenadas en un directorio LDAP. Antes de la versi\u00f3n 9.5, se detect\u00f3 una inclusi\u00f3n local de ficheros en la exportaci\u00f3n de PDF que permite a los usuarios incluir ficheros PHP locales y de esta manera ejecutar c\u00f3digo. En combinaci\u00f3n con GHSA-88hf-2cjm-m9g8, esto permite ejecutar c\u00f3digo arbitrario. Los usuarios deben iniciar sesi\u00f3n en LAM para explotar esta vulnerabilidad. La versi\u00f3n 9.5 soluciona el problema. Aunque se recomienda la actualizaci\u00f3n, una soluci\u00f3n alternativa ser\u00eda hacer que /var/lib/ldap-account-manager/config sea de solo lectura para el usuario del servidor web y eliminar los ficheros de perfil de PDF (haciendo imposibles las exportaciones de PDF).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-98\"}]}],\"references\":[{\"url\":\"https://github.com/LDAPAccountManager/lam/releases/tag/9.5\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27894\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-18T19:54:01.110248Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-18T19:54:05.503Z\"}}], \"cna\": {\"title\": \"LAM has Authenticated Local File Inclusion (LFI) in PDF export\", \"source\": {\"advisory\": \"GHSA-w7xq-vjr3-p9cf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"LDAPAccountManager\", \"product\": \"lam\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 9.5\"}]}], \"references\": [{\"url\": \"https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf\", \"name\": \"https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8\", \"name\": \"https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/LDAPAccountManager/lam/releases/tag/9.5\", \"name\": \"https://github.com/LDAPAccountManager/lam/releases/tag/9.5\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-98\", \"description\": \"CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-17T23:51:09.865Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-27894\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-18T19:54:13.831Z\", \"dateReserved\": \"2026-02-24T15:19:29.717Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-17T23:48:06.530Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…