CVE-2026-27823

CRITICALPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

EGroupware has a Remote Code Execution Vulnerability

Summary

A critical vulnerability has been identified in EGroupware that may lead to Remote Code Execution (RCE). The issue allows an authenticated attacker to execute arbitrary commands on the server. If user self-registration is enabled, the vulnerability may be exploitable without prior authentication.

The vulnerability stems from improper authorization checks combined with a file write primitive and an arbitrary file read vulnerability, which together enable full system compromise.

Details

1. Improper Authorization in SmallPartMediaRecorder::ajax_upload()

The vulnerability originates in:

EGroupware\SmallParT\Widgets\SmallPartMediaRecorder::ajax_upload()

The function attempts to verify whether the current user is a teacher of the specified course ID before allowing a file upload.

The critical authorization check ensures that the course access control list (ACL) contains:

$required_acl (self::ROLE_TEACHER, i.e., 3)

However, the course_acl value is derived from user-controlled request data.

_Bypass Technique_

A crafted request can manipulate the participant_role value inside the request body:

{
  "video": {
    "course_id": {
      "participants": [
        {
          "account_id": "7",
          "name": "Test",
          "joined_at": "2026-01-10",
          "participant_role": 3
        }
      ],
      "account_id": "7",
      "course_id": "1"
    },
    "video_hash": ".",
    "video_type": "file_here"
  }
}

Because the course ACL is taken from participant_role, setting it to 3 allows bypassing the isTeacher check.

2. Arbitrary File Write

After bypassing authorization, the function uploads the provided file into a controllable file path.

The file path is derived from the video_type (or video_path) value, enabling path traversal.

Due to file permission restrictions (server running as www-data), writable targets are limited. One viable target is ./header.inc.php

3. Constraints

Writing a simple PHP webshell may not immediately execute due to OPcache.

An invalid header.inc.php file will break the system and prevent the server from running.

Therefore, a valid file structure must be preserved.

4. Arbitrary File Read

A second vulnerability allows arbitrary file read via:

/egroupware/index.php?menuaction=importexport.importexport_export_ui.download&_filename=../../../usr/share/egroupware/header.inc.php&_suffix=txt&_type=text/plain&filename=leak

The issue resides in:

importexport_export_ui::download

The _filename parameter is user-controlled and used to read arbitrary files.

This allows retrieving the original header.inc.php content.

5. Achieving Remote Code Execution

By combining: Arbitrary file read (to retrieve valid header.inc.php); Arbitrary file write (to overwrite it with modified content), an attacker can inject controlled PHP code while preserving file validity.

This results in Remote Code Execution after server restart, or OPcache expiration. An alternative impact includes modifying the admin setup password to gain full system control.

Impact

Remote Code Execution Full system compromise Arbitrary file read Arbitrary file write Potential complete takeover of EGroupware instance

Reported by

This finding was discovered by Huong Kieu of Cenobe Security (https://cenobe.com/)

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 7, 2026

Last Modified

July 7, 2026

Vendor Advisories for CVE-2026-27823(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 0× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-07 13:38 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-27823?
CVE-2026-27823 is a critical vulnerability published on July 7, 2026. EGroupware has a Remote Code Execution Vulnerability Summary A critical vulnerability has been identified in EGroupware that may lead to Remote Code Execution (RCE). The issue allows an authenticated attacker to execute arbitrary commands on the server. If user self-registration is enabled, the…
When was CVE-2026-27823 disclosed?
CVE-2026-27823 was first published in the National Vulnerability Database on July 7, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-27823?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-27823, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-27823

Explore →

Is Your Infrastructure Affected by CVE-2026-27823?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.