CVE-2026-27012 PUBLISHED

Unauthenticated privilege escalation in OpenSTAManager via modules/utenti/actions.php

Assigner: GitHub_M
Reserved: 17.02.2026 Published: 03.03.2026 Updated: 03.03.2026

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	devcode-it
Product	openstamanager
Versions	Version <= 2.9.8 is affected

References

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57v

Problem Types

CWE-306: Missing Authentication for Critical Function CWE