CVE-2026-27012
OpenSTAManager affected by unauthenticated privilege escalation via modules/utenti/actions.php
Description
### Summary A privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (`idgruppo`) by directly calling `modules/utenti/actions.php`. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators. ### Details `modules/utenti/actions.php` is reachable directly via `http://<IP>:8080/modules/utenti/actions.php` and processes privileged information without requiring any authentication or authorization checks on fields like idgruppo. As a result, an attacker can submit a crafted POST request that updates the targets record and assigns it to the administrator group. The file explicitly sets: ```PHP $skip_permissions = true; include_once __DIR__.'/../../core.php'; ``` `core.php` then invokes: ```PHP Permissions::skip(); ``` Thus, disabling any authentication and permission enforcement. As a result, this file processes operations based on the `op` parameter in the POST request, not only `update_user`. Sensitive fields like `idgruppo` and others can be updated without verifying anything. ### PoC A target username exists, such as "agent" with an ID of 4. No authentication or cookies are required. Send the following POST request via Burp Suite or similar: <img width="1094" height="255" alt="image" src="https://github.com/user-attachments/assets/2e8cb148-1b5d-4e5c-9c73-05ed75d64188" /> The target's group is updated in the database. Verify the changes in the database before and after the POST request: <img width="1053" height="430" alt="image" src="https://github.com/user-attachments/assets/49f63ca0-8a04-4dd1-b27c-69699d2ce26f" /> Changes also visible in the administrator panel, they have been moved from the Agenti group to Amministratori. ### Impact An unauthenticated attacker can assign administrator privileges to existing users, modify group memberships, enable/disable accounts and other operations that are exposed in the file. This can lead to a full compromise of the application.
How to fix CVE-2026-27012
No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.
- —no fix listed
Is CVE-2026-27012 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.