Summary
EGroupware has Authenticated RCE via Malicious eTemplate Upload
Full technical description
An authenticated administrator can achieve OS-level Remote Code Execution (RCE) by uploading a malicious eTemplate XML file (.xet) to the VFS /etemplates mount.
The Widget::expand_name() method passes template widget attribute values directly into a PHP eval() call with only double-quote escaping applied - backtick characters are not escaped.
In PHP, backticks inside a double-quoted eval() string execute shell commands. This allows an admin-level user to escalate from web
application access to arbitrary OS command execution on the server.
Details
The vulnerability is located in api/src/Etemplate/Widget.php, Widget::expand_name(): (lines 703–728)
The method is designed to expand PHP variables (e.g., $row, $col,$cont[id]) in widget attribute values for auto-repeat grids. The eval() is triggered whenever $name contains a $ character (line 706). The only sanitization applied before the eval is:
str_replace('"', '\\"', $name)
This escapes double quotes only. Backtick characters are not escaped. In PHP, backticks inside a double-quoted string in eval() are treated as shell execution operators, equivalent to shell_exec(). A widget id of $row\id`` produces:
eval('$name = "$row`id`";'); // executes shell command: id
expand_name() is called from:
form_name()expand_widget()set_attrs()Template::run()
The /etemplates VFS path is created exclusively for admin users, it is chgrp'd to Admins and chmod'd to 075 (Admins group has full rwx): class.filemanager_admin.inc.php:95-106
Custom templates in /etemplates take precedence over built-in filesystem templates, meaning a malicious template can silently override any existing application template.
Mitigating factor: The official Docker deployment sets disable_functions = exec,passthru,shell_exec,system,proc_open,popen in php.ini, which also blocks PHP backtick execution (backticks internally call shell_exec). Non-Docker or non-hardened deployments without this php.ini setting are fully vulnerable. Dockerfile:47
The current master branch in api/setup/setup.inc.php, confirming the vulnerability is present in the latest code as of today. setup.inc.php:14-17
Proof of Concept (PoC)
Prerequisites
- Admin account
- Non-Docker deployment, or Docker deployment where disable_functions has been removed/modified in php.ini
Step 1, Mount /etemplates:
Log in as admin, navigate to Admin → Filemanager → VFS Mounts, and click "Install custom templates". This executes the code in filemanager_admin.inc.php that mounts /etemplates with Admins-group write access.
Step 2, Upload malicious template:
Create a file named index.xet with the following content:
<?xml version="1.0" encoding="UTF-8"?>
<overlay>
<template id="admin.index">
<grid>
<columns><column/></columns>
<rows>
<row>
<textbox id="$row`touch /tmp/pwned_egw 2>/dev/null`"/>
</row>
</rows>
</grid>
</template>
</overlay>
Upload this file to /etemplates/admin/templates/default/index.xet via the VFS filemanager.
Step 3, Trigger execution:
Navigate to the EGroupware admin panel:
https://<target>/egroupware/index.php?menuaction=admin.admin_ui.index
When the template is loaded and beforeSendToClient() runs, form_name() calls expand_name() with $name = '$row\touch /tmp/pwned_egw 2>/dev/null'and$row = 0. The eval becomes:
eval('$name = "$row`touch /tmp/pwned_egw 2>/dev/null`";');
PHP executes the backtick expression as a shell command.
Step 4, Verify:
Check that /tmp/pwned_egw was created on the server. For a more impactful demonstration, replace touch /tmp/pwned_egw with id > /tmp/pwned_egw to capture the web server's OS user identity.
Severity
The vulnerability allows escalation from EGroupware admin-level web access to arbitrary OS command execution as the web server user (typically www-data). From there, an attacker can read configuration files (including database credentials), pivot to other services, or establish persistence. This is not exploitable by regular (non-admin) users. The official Docker deployment is not affected due to disable_functions, but bare-metal, VM, or custom container deployments without this hardening are fully vulnerable.
Impact
Authenticated Remote Code Execution (RCE) via eval() with unsanitized shell metacharacters.
Who is impacted: Any EGroupware installation where:
- An admin account is compromised or a malicious admin exists, AND
- The server is not running with disable_functions blocking shell_exec (i.e., non-Docker or misconfigured deployments)
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
egroupware/egroupware to 26.4.20260413 or later; egroupware/egroupware to 23.1.20260601 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-40187? CVE-2026-40187 is a high-severity OS command injection vulnerability in egroupware/egroupware (composer), affecting versions >= 26.0.20251208, < 26.0.20260113. It is fixed in 26.4.20260413, 23.1.20260601. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
- Which versions of egroupware/egroupware are affected by CVE-2026-40187? egroupware/egroupware (composer) versions >= 26.0.20251208, < 26.0.20260113 is affected.
- Is there a fix for CVE-2026-40187? Yes. CVE-2026-40187 is fixed in 26.4.20260413, 23.1.20260601. Upgrade to this version or later.
- Is CVE-2026-40187 exploitable, and should I be worried? Whether CVE-2026-40187 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40187 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-40187?
- Upgrade
egroupware/egroupwareto 26.4.20260413 or later - Upgrade
egroupware/egroupwareto 23.1.20260601 or later
- Upgrade