Summary
EGroupware has a Remote Code Execution Vulnerability
Full technical description
A critical vulnerability has been identified in EGroupware that may lead to Remote Code Execution (RCE).
The issue allows an authenticated attacker to execute arbitrary commands on the server. If user self-registration is enabled, the vulnerability may be exploitable without prior authentication.
The vulnerability stems from improper authorization checks combined with a file write primitive and an arbitrary file read vulnerability, which together enable full system compromise.
Details
1. Improper Authorization in SmallPartMediaRecorder::ajax_upload()
The vulnerability originates in:
EGroupware\SmallParT\Widgets\SmallPartMediaRecorder::ajax_upload()
The function attempts to verify whether the current user is a teacher of the specified course ID before allowing a file upload.
The critical authorization check ensures that the course access control list (ACL) contains:
$required_acl (self::ROLE_TEACHER, i.e., 3)
However, the course_acl value is derived from user-controlled request data.
Bypass Technique
A crafted request can manipulate the participant_role value inside the request body:
{
"video": {
"course_id": {
"participants": [
{
"account_id": "7",
"name": "Test",
"joined_at": "2026-01-10",
"participant_role": 3
}
],
"account_id": "7",
"course_id": "1"
},
"video_hash": ".",
"video_type": "file_here"
}
}
Because the course ACL is taken from participant_role, setting it to 3 allows bypassing the isTeacher check.
2. Arbitrary File Write
After bypassing authorization, the function uploads the provided file into a controllable file path.
The file path is derived from the video_type (or video_path) value, enabling path traversal.
Due to file permission restrictions (server running as www-data), writable targets are limited. One viable target is ./header.inc.php
3. Constraints
Writing a simple PHP webshell may not immediately execute due to OPcache.
An invalid header.inc.php file will break the system and prevent the server from running.
Therefore, a valid file structure must be preserved.
4. Arbitrary File Read
A second vulnerability allows arbitrary file read via:
/egroupware/index.php?menuaction=importexport.importexport_export_ui.download&_filename=../../../usr/share/egroupware/header.inc.php&_suffix=txt&_type=text/plain&filename=leak
The issue resides in:
importexport_export_ui::download
The _filename parameter is user-controlled and used to read arbitrary files.
This allows retrieving the original header.inc.php content.
5. Achieving Remote Code Execution
By combining: Arbitrary file read (to retrieve valid header.inc.php); Arbitrary file write (to overwrite it with modified content), an attacker can inject controlled PHP code while preserving file validity.
This results in Remote Code Execution after server restart, or OPcache expiration. An alternative impact includes modifying the admin setup password to gain full system control.
Reported by
This finding was discovered by Huong Kieu of Cenobe Security (https://cenobe.com/)
Impact
Remote Code Execution
Full system compromise
Arbitrary file read
Arbitrary file write
Potential complete takeover of EGroupware instance
Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files. Typical impact: unauthorized file read or write outside the intended directory.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
egroupware/egroupware to 26.2.20260224 or later; egroupware/egroupware to 23.1.20260224 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-27823? CVE-2026-27823 is a critical-severity path traversal vulnerability in egroupware/egroupware (composer), affecting versions >= 26.0.20251208, < 26.2.20260224. It is fixed in 26.2.20260224, 23.1.20260224. Input manipulates file paths to reach files outside the intended directory, such as configuration or credential files.
- Which versions of egroupware/egroupware are affected by CVE-2026-27823? egroupware/egroupware (composer) versions >= 26.0.20251208, < 26.2.20260224 is affected.
- Is there a fix for CVE-2026-27823? Yes. CVE-2026-27823 is fixed in 26.2.20260224, 23.1.20260224. Upgrade to this version or later.
- Is CVE-2026-27823 exploitable, and should I be worried? Whether CVE-2026-27823 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-27823 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-27823?
- Upgrade
egroupware/egroupwareto 26.2.20260224 or later - Upgrade
egroupware/egroupwareto 23.1.20260224 or later
- Upgrade