HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45777Published Modified CNA GitHub_M

CVE-2026-45777: Open XDMoD Vulnerable to Unauthenticated Remote Code Execution (RCE) via OS Command Injection

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attacker to read or modify application data, alter system configuration, or disrupt service availability. All deployments of Open XDMoD versions 9.5.0 through 11.0.2 (inclusive) are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

OS command injection vulnerability in Open XDMoD (versions 9.5.0 through 11.0.2) allows an unauthenticated remote attacker to execute arbitrary system commands on the web server hosting the application. The vulnerability is reachable over the network with no authentication and no user interaction required, giving the attacker the full privileges of the web server process. Successful exploitation enables reading or modifying application data, altering system configuration, and disrupting service availability. A patched-image rebuild at version 11.0.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle Open XDMoD. Any image layer containing an affected version (9.5.0 through 11.0.2) of the ubccr/xdmod package is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 9.3 (Critical) and surfaces it accordingly in each customer environment, weighted against that environment's compliance policy. Findings are routed to the appropriate team inbox based on each organization's configured ownership rules, so the right engineer is notified without manual triage.

Available
Patch

A patched-image rebuild at Open XDMoD 11.0.3 is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers the rebuild, runs the regression test suite against the updated image, and opens a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Open XDMoD web service over the network; any internet- or intranet-exposed deployment is within scope.

  • AuthenticationNot required

    No account or session credentials are needed; the injection point is accessible to anonymous requests.

  • Victim interactionNot required

    The attacker does not need to trick or involve any user; the exploit is fully server-side.

  • Attack complexityDetail

    The exploit is reliable and condition-free, requiring no race conditions, special memory layout, or environmental setup beyond network access to the target.

Blast Radius

  • The attacker executes arbitrary operating system commands with the privileges of the web server process, enabling full control of the application runtime.
  • Application data stored on the server, including HPC metrics, user records, and configuration files, can be read or modified directly.
  • System-level configuration files accessible to the web server process can be altered, potentially enabling persistence or lateral movement within the host.
  • The web server process can be terminated or its resources exhausted, taking the Open XDMoD service offline.

How HarborGuard Handles This

Available on HarborGuard: detection for this Critical-severity OS command injection fires within minutes of CVE publication for any scanned image containing Open XDMoD 9.5.0 through 11.0.2. A patched-image rebuild at version 11.0.3 is available for affected environments. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs regression tests against the patched image, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is queued for manual review with the CVSS 9.3 score and full vector detail attached. As an interim compensating control while remediation is planned, network-policy rules restricting inbound access to the Open XDMoD web interface to trusted IP ranges will reduce the attack surface for unauthenticated network-based exploitation.

See how HarborGuard automates this
Affected packages
  • ubccr / xdmod
    >= 9.5.0, < 11.0.3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References