External risk intelligence

OpenCMS allows attackers to steal sensitive files or take control of systems

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38429

OpenCMS allows an internal attacker with administrative access to view sensitive server files by uploading a malicious file through the file import tool. This exposure could reveal system credentials or configuration data, which may be used to compromise the entire server.

2Halo Surface Signal

XML External Entity Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-38429

The flaw exists within an administrative feature of the CMS that requires authorized administrative access. Such interfaces are typically restricted to internal networks or VPNs, and although the web application may be reachable, the administrative functions are generally protected by access controls, making public exposure uncommon.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This issue in OpenCMS allows an attacker to execute commands by uploading a crafted file. Because the vulnerability is in an administrative feature, it typically requires existing access to exploit, but could lead to significant compromise.

  • Sensitive data exposure.
  • System compromise possible.
  • Requires admin access.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this XML External Entity vulnerability in OpenCMS by crafting a malicious ZIP file containing a specially designed `manifest.xml`. When an administrator imports this ZIP file through the Admin Import DB feature, the insecure XML parsing will execute the XXE payload. This could lead to sensitive data disclosure, denial of service, or even remote code execution if the server can be tricked into interacting with external resources.

  • Requires admin import feature access.
  • Targets XML parsing of zip archives.
  • Server must parse user-supplied XML.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents an interesting case for attackers. While the technical severity is high, its potential for weaponization is tempered by the need for administrative access. Attackers might favor it if they can find ways around authentication or target specific, less secured administrative interfaces.

  • Requires admin access.
  • Unlikely public exploit.
  • Deferred status noted.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize containment and monitoring for OpenCMS v20 and earlier, as a critical XXE vulnerability exists in the Admin Import DB feature. Given the administrative access required for exploitation, focus on verifying that only authorized personnel can access this feature and review logs for any suspicious activity related to database imports.

  • Restrict access to Admin Import DB.
  • Monitor import logs for unusual manifests.
  • Isolate affected systems if unauthorized access is detected.

Frequently asked questions

What is OpenCMS v20, and what is it used for?

OpenCMS is a content management system (CMS) used for creating and managing digital content. Version 20 and earlier versions are susceptible to the vulnerability described in this advisory. CMS platforms like OpenCMS are commonly used by organizations to publish and maintain websites and other online content.

What type of vulnerability does CVE-2026-38429 represent in OpenCMS?

CVE-2026-38429 is an XML External Entity (XXE) vulnerability. This weakness occurs when an XML parser processes untrusted XML input, potentially allowing an attacker to access internal files, perform network requests, or cause denial of service by exploiting the parser's interaction with external entities.

How can an attacker exploit this OpenCMS vulnerability?

An attacker needs to upload a specially crafted ZIP file containing a malicious `manifest.xml` file. This file must then be imported by an administrator using the 'Admin Import DB' feature within OpenCMS v20 or older. The vulnerability is not triggered if the server does not parse user-supplied XML or if the `Admin Import DB` feature is not used.

Who should be concerned about CVE-2026-38429?

Organizations using OpenCMS v20 or earlier should be concerned. While the vulnerability is in an administrative feature and requires authorized access to exploit, making widespread public exploitation unlikely, it could be a significant risk if an attacker gains administrative privileges or targets less secured administrative interfaces.

What are the first steps for managing this OpenCMS vulnerability?

For OpenCMS v20 and earlier, administrators should immediately restrict access to the 'Admin Import DB' feature to only essential personnel. It is also recommended to monitor import logs for any suspicious activity and to isolate systems if unauthorized access is suspected.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified