GHSA-h9qx-v5xp-ph8p: EGroupware has a Remote Code Execution Vulnerability
Summary
A critical vulnerability has been identified in EGroupware that may lead to Remote Code Execution (RCE).
The issue allows an authenticated attacker to execute arbitrary commands on the server. If user self-registration is enabled, the vulnerability may be exploitable without prior authentication.
The vulnerability stems from improper authorization checks combined with a file write primitive and an arbitrary file read vulnerability, which together enable full system compromise.
Details
1. Improper Authorization in SmallPartMediaRecorder::ajax_upload()
The vulnerability originates in:
EGroupware\SmallParT\Widgets\SmallPartMediaRecorder::ajax_upload()
The function attempts to verify whether the current user is a teacher of the specified course ID before allowing a file upload.
The critical authorization check ensures that the course access control list (ACL) contains:
$required_acl (self::ROLE_TEACHER, i.e., 3)
However, the course_acl value is derived from user-controlled request data.
**_Bypass Technique_**
A crafted request can manipulate the participant_role value inside the request body:
{
"video": {
"course_id": {
"participants": [
{
"account_id": "7",
"name": "Test",
"joined_at": "2026-01-10",
"participant_role": 3
}
],
"account_id": "7",
"course_id": "1"
},
"video_hash": ".",
"video_type": "file_here"
}
}
Because the course ACL is taken from participant_role, setting it to 3 allows bypassing the isTeacher check.
2. Arbitrary File Write
After bypassing authorization, the function uploads the provided file into a controllable file path.
The file path is derived from the video_type (or video_path) value, enabling path traversal.
Due to file permission restrictions (server running as www-data), writable targets are limited. One viable target is ./header.inc.php
3. Constraints
Writing a simple PHP webshell may not immediately execute due to OPcache.
An invalid header.inc.php file will break the system and prevent the server from running.
T
Details
Original advisory: https://github.com/advisories/GHSA-h9qx-v5xp-ph8p
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-27823 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10