External risk intelligence

openDCIM SQL Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-28516

openDCIM is a Data Center Infrastructure Management tool typically deployed within internal data center networks for management purposes. While it is a web-based application and theoretically accessible if exposed to the internet, it is not standard practice to expose such management interfaces directly to the public internet.

SQL Injection

Opendcim

23.04

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in openDCIM software that allows an authenticated user to execute arbitrary commands by injecting malicious SQL code. This issue arises from the software's handling of user input within its configuration update parameters, where it directly inserts data into SQL queries without proper sanitization. The primary concern is to confirm if our environment utilizes this specific software and, if so, to understand our exposure.

  • Stored data can be manipulated by authenticated users.
  • Critical for data center management systems.
  • Confirm relevance and potential exposure to this vulnerability.

Attack Path

How an attacker could exploit the issue

An attacker with existing authenticated access to openDCIM can exploit a vulnerability in the configuration update feature. By providing specially crafted input to the `UpdateParameter` function through the `install.php` or `container-install.php` scripts, an attacker can manipulate SQL queries. This manipulation allows them to execute arbitrary SQL commands, potentially leading to unauthorized access or modification of sensitive data.

  • Requires authenticated access.
  • Triggered by manipulating configuration settings.
  • Risk of arbitrary SQL command execution.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user with access to openDCIM could execute arbitrary SQL statements against the underlying database when supported by the advisory. This occurs because the application passes user-supplied input directly into SQL statements without proper sanitation or the use of prepared statements.

  • Database integrity and availability.
  • Malicious SQL queries executed.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

The application owner is responsible for managing openDCIM, but the infrastructure or platform team likely controls its deployment and network exposure. The first practical step is to identify all instances of openDCIM, determine their reachability and criticality, and then engage the accountable owner to plan remediation, which may involve vendor coordination or other risk reduction strategies.

  • Application owners should own the issue.
  • Verify reachability and business criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is openDCIM?

openDCIM is a web-based Data Center Infrastructure Management tool. Organizations use it to track physical assets, power consumption, and environmental metrics within data centers to ensure efficient facility operations and hardware inventory management.

What does SQL injection mean for CVE-2026-28516?

This vulnerability falls under the CWE-89 weakness class. It means the software does not properly filter user-provided text before including it in database commands. Because of this, an attacker can trick the system into running unauthorized, malicious database instructions instead of the intended configuration updates.

How is this SQL injection triggered?

It is triggered by sending malicious input through the UpdateParameter function found in specific installation scripts like install.php. The flaw exists because the software uses unsafe string interpolation. Normal, expected usage of the interface does not trigger the bug; it requires specific, crafted input intended to manipulate the backend query structure.

Is my instance of openDCIM at risk?

Per Halo Surface Signal, openDCIM is typically kept within internal networks, which helps limit reach. You should assess if your deployment is accessible from the public internet. While the vulnerability requires existing authentication, any openDCIM instance reachable by untrusted users carries a higher risk of unauthorized database interaction.

What should I do if I run openDCIM?

Start by auditing your network to identify all running instances and their current version. Verify if your deployment is reachable beyond authorized internal zones. Once identified, coordinate with your application owner to review the project's official security updates and apply the necessary patches to address how the software processes user input.

References