CVE-2026-27895 in lam
Summary
by MITRE • 03/18/2026
LDAP Account Manager (LAM) is a webfrontend for managing entries (e.g. users, groups, DHCP settings) stored in an LDAP directory. Prior to version 9.5, the PDF export component does not correctly validate uploaded file extensions. This way any file type (including .php files) can be uploaded. With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. Version 9.5 fixes the issue. Although upgrading is recommended, a workaround would be to make /var/lib/ldap-account-manager/config read-only for the web-server user.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/23/2026
The vulnerability identified as CVE-2026-27895 affects LDAP Account Manager (LAM), a widely used web-based interface for managing LDAP directory entries including users, groups, and system configurations. This web application serves as a critical administrative tool for organizations relying on LDAP directories, making it an attractive target for attackers seeking persistent access to network resources. The vulnerability resides within the PDF export functionality of LAM versions prior to 9.5, specifically in the file upload validation mechanism that fails to properly restrict file extensions. This flaw represents a classic insecure file upload vulnerability that can be categorized under CWE-434, which describes the improper restriction of uploads to a restricted directory. The technical implementation of the PDF export component lacks proper input validation, allowing attackers to bypass security checks that should prevent execution of potentially malicious file types such as PHP scripts.
The operational impact of this vulnerability is severe and directly enables remote code execution capabilities for attackers who can successfully upload malicious files to the target system. When combined with the previously disclosed GHSA-w7xq-vjr3-p9cf vulnerability, an attacker can achieve complete control over the web server hosting LAM, executing arbitrary code with the privileges of the web server user. This privilege escalation scenario creates a dangerous attack surface where an attacker can potentially move laterally within the network, access sensitive data, and establish persistence. The vulnerability demonstrates the dangerous combination of insufficient input validation and the presence of web server execution capabilities, which together provide a direct path to system compromise. The attack chain typically involves uploading a malicious PHP file through the PDF export functionality, then executing that file through the web server, ultimately resulting in remote code execution on the target system.
Security professionals should note that this vulnerability aligns with several ATT&CK tactics including T1059.007 for command and script interpreter, T1078 for valid accounts, and T1566 for credential harvesting, as it enables attackers to execute commands and potentially escalate privileges. The recommended mitigation strategy involves upgrading to LAM version 9.5 or later, which implements proper file extension validation and addresses the root cause of the vulnerability. Organizations unable to immediately upgrade can implement a temporary workaround by making the /var/lib/ldap-account-manager/config directory read-only for the web server user, effectively preventing the upload of malicious files that could compromise the system. However, this workaround only mitigates the immediate risk and does not address the underlying security flaw. The vulnerability highlights the importance of proper input validation in web applications and demonstrates how seemingly minor security oversights can lead to critical system compromises. Organizations should conduct thorough security assessments of their LAM installations and ensure all systems are updated to prevent exploitation of this vulnerability. The incident underscores the necessity of maintaining up-to-date software and implementing proper access controls to limit the impact of potential security breaches.