CVE-2026-8406: openSIS Classic 9.3 - Insecure Direct Object Reference in Sent Mail
openSIS Classic 9.3 contains an insecure direct object reference vulnerability in the messaging module. Any authenticated user with access to the messaging module can request sent-message details from modules/messaging/SentMail.php by supplying an arbitrary mail_id value.
Metrics
- CVSS v4.0
- 7.1
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
An insecure direct object reference (IDOR) vulnerability exists in the messaging module of openSIS Classic 9.3. Any authenticated user can retrieve sent-message details belonging to other users by manipulating the mail_id parameter in a direct HTTP request to SentMail.php, with no elevated privileges required beyond a basic account. Successful exploitation gives the attacker read access to private sent-mail contents across the application. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-8406 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from openSIS Classic 9.3 base layers.
AvailableHarborGuard scores this CVE at 7.1 HIGH using the CVSS v4.0 vector and weights it against each environment's compliance policy to determine urgency and routing, surfacing findings to the appropriate team inbox within each customer organization.
AvailableNo upstream fix version has been published for this CVE; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, the advisory remains open and visible in the affected-image findings list for each customer environment where openSIS Classic 9.3 is present.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable SentMail.php endpoint is exposed over the network, so an attacker must be able to reach the application's HTTP interface.
- AuthenticationRequired
Any low-privilege account with access to the messaging module is sufficient; no administrative role is needed.
- Victim interactionNot required
The attacker sends a crafted request directly to the server; no action by another user is required.
- Attack complexityDetail
Exploitation is straightforward and condition-free: incrementing or substituting an integer mail_id value in the request is all that is required.
Blast Radius
- The attacker reads the full contents of sent messages written by other users, including any personally identifiable or sensitive information those messages contain.
- By iterating over mail_id values, the attacker can enumerate the entire sent-mail history across all users of the application.
- No data modification or service disruption capability is granted by this vulnerability; impact is limited to confidentiality of stored messages.
How HarborGuard Handles This
Available on HarborGuard: this CVE is actively tracked and matched against any customer image built on or derived from openSIS Classic 9.3. Because no upstream fix version exists yet, HarborGuard monitors the advisory on every ingest cycle and will automatically queue a patched-image rebuild the moment the vendor ships a remediated release. For customers who opt into auto-remediation, that rebuild will trigger a regression test run and open a pull request against affected workloads without manual intervention. While no patch is available, compensating controls worth considering include network-policy rules that restrict messaging-module access to authenticated internal networks only, egress filtering to limit lateral data movement, and application-level access controls or WAF rules that reject out-of-range or non-owned mail_id values before the request reaches the PHP layer.
- OS4ED / openSIS-Classic9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N