LDAP Account Manager (LAM) is a web-based interface for managing LDAP directory entries such as users and groups. Versions prior to 9.5 contain a critical vulnerability (CVE-2026-27894) classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The flaw exists in the PDF export feature, where the application improperly handles filenames used in PHP include or require statements. This allows an authenticated user to include local PHP files, leading to remote code execution on the server. The vulnerability requires the attacker to be logged into LAM but does not require further user interaction. When combined with another vulnerability (GHSA-88hf-2cjm-m9g8), the attacker can execute arbitrary code remotely, significantly increasing the threat level. The vulnerability affects all LAM versions before 9.5, which addresses the issue. No known exploits are currently reported in the wild. The CVSS 3.1 score of 8.8 indicates a high-severity issue with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. The recommended mitigation is upgrading to version 9.5. As an interim measure, making the /var/lib/ldap-account-manager/config directory read-only for the web server user and deleting PDF profile files disables the vulnerable PDF export functionality, reducing risk.

If exploited, this vulnerability allows an authenticated attacker to execute arbitrary PHP code on the server hosting LDAP Account Manager. This can lead to full system compromise, including unauthorized access to sensitive LDAP directory data, modification or deletion of directory entries, and disruption of directory services. The compromise of LDAP data can cascade to other dependent systems relying on LDAP for authentication and authorization, amplifying the impact. The vulnerability affects confidentiality by exposing sensitive user and group information, integrity by allowing unauthorized modifications, and availability by potentially disrupting LDAP services. Given the network attack vector and low complexity, attackers with valid credentials can exploit this vulnerability remotely, increasing the risk in environments where LAM is accessible over the network. Organizations relying on LAM for LDAP management face significant operational and security risks until patched or mitigated.

1. Upgrade LDAP Account Manager to version 9.5 or later, which contains the official fix for this vulnerability. 2. Until upgrading is possible, restrict the web server user's permissions by making the /var/lib/ldap-account-manager/config directory read-only to prevent modification or inclusion of malicious files. 3. Delete or disable PDF profile files to prevent use of the vulnerable PDF export feature, effectively blocking the attack vector. 4. Implement strict access controls and monitoring on the LAM application to detect unauthorized login attempts and suspicious activities. 5. Limit LAM access to trusted networks or VPNs to reduce exposure to potential attackers. 6. Regularly audit and review user accounts with access to LAM to minimize the number of privileged users. 7. Employ web application firewalls (WAF) with rules to detect and block local file inclusion attempts targeting LAM. 8. Monitor logs for unusual PHP file inclusions or errors related to PDF exports to identify exploitation attempts early.