CVE-2026-27894 in lam
Summary
by MITRE • 03/18/2026
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. Users need to login to LAM to exploit this vulnerability. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user and delete the PDF profile files (making PDF exports impossible).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-27894 affects LDAP Account Manager (LAM), a widely used web-based interface for managing LDAP directory entries including users, groups, and system configurations. This web application serves as a critical management tool in enterprise environments where identity and access management are paramount. The flaw exists in the PDF export functionality of versions prior to 9.5, creating a dangerous local file inclusion vulnerability that can be exploited to execute arbitrary code on the server. The vulnerability specifically targets the PDF generation process where user-supplied input is not properly sanitized before being processed, allowing attackers to manipulate file inclusion paths.
The technical exploitation of this vulnerability involves leveraging the local file inclusion flaw within the PDF export module to include and execute local PHP files. This type of vulnerability maps directly to CWE-98, which describes "Improper Control of Generation of Code ('Code Injection')" and specifically relates to CWE-22, "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')". The attack requires authentication to the LAM application, meaning an attacker must first obtain valid credentials or exploit another vulnerability to gain access to the system. When combined with the related vulnerability GHSA-88hf-2cjm-m9g8, which likely represents a separate privilege escalation or authentication bypass issue, the impact becomes significantly more severe as attackers can achieve full system compromise without requiring additional authentication.
The operational impact of this vulnerability extends beyond simple code execution, as it can lead to complete system compromise and unauthorized access to sensitive directory information. Organizations using LAM versions prior to 9.5 face potential data breaches, system infiltration, and unauthorized modification of user accounts and group permissions. The vulnerability affects the core functionality of the application and can be exploited to gain persistence within the network, making it particularly dangerous in enterprise environments where LDAP directories often contain critical identity information. The attack surface is limited to authenticated users but can be expanded through credential compromise or social engineering attacks.
Security mitigations for this vulnerability include immediate upgrade to LAM version 9.5 or later, which contains the necessary patches to address the local file inclusion flaw. Organizations should also implement the suggested workaround of making the configuration directory /var/lib/ldap-account-manager/config read-only for the web server user and removing PDF profile files to prevent PDF export functionality. This approach effectively disables the vulnerable code path while maintaining other LAM functionalities. Additionally, organizations should conduct comprehensive security assessments of their LDAP environments, implement proper access controls, and establish monitoring for unauthorized file modifications. The vulnerability demonstrates the importance of input validation and proper file handling in web applications, aligning with ATT&CK technique T1548.003 for privilege escalation and T1059.007 for command and script injection. Organizations should also consider implementing web application firewalls and regular security scanning to detect similar vulnerabilities in their infrastructure.