LDAP Account Manager (LAM) is a web-based interface used to manage LDAP directory entries such as users, groups, and DHCP settings. Versions prior to 9.5 contain a critical vulnerability (CVE-2026-27894) classified under CWE-98, which involves improper control of filenames used in include or require statements within PHP code. Specifically, the PDF export feature in LAM allows authenticated users to perform local file inclusion (LFI) by manipulating the filename parameter, enabling the inclusion and execution of arbitrary local PHP files. When combined with a related vulnerability (GHSA-88hf-2cjm-m9g8), this can lead to full remote code execution on the server. The vulnerability requires the attacker to have valid login credentials to LAM but does not require further user interaction. The CVSS v3.1 score is 8.8, reflecting high impact on confidentiality, integrity, and availability with network attack vector, low attack complexity, and privileges required. The flaw arises because the application fails to properly sanitize or restrict file paths used in the include/require statements during PDF export processing. The vendor fixed the issue in version 9.5. As a temporary mitigation, making the /var/lib/ldap-account-manager/config directory read-only for the web server user and deleting PDF profile files can prevent exploitation by disabling PDF exports. No known exploits are reported in the wild yet, but the vulnerability poses a significant risk to organizations using vulnerable LAM versions.

This vulnerability can have severe consequences for organizations relying on LDAP Account Manager for directory management. Successful exploitation allows an authenticated user to execute arbitrary PHP code on the server, potentially leading to full system compromise. This threatens the confidentiality of sensitive LDAP data, including user credentials and group information, and can undermine the integrity of directory entries. Availability may also be impacted if attackers disrupt services or deploy ransomware. Since LAM is often deployed in enterprise environments managing critical identity and access data, attackers gaining code execution could pivot to other internal systems, escalate privileges, or exfiltrate data. The requirement for authentication limits exposure to insider threats or compromised accounts but does not eliminate risk, especially in environments with weak credential controls. The lack of user interaction needed makes automated exploitation feasible once credentials are obtained. Overall, the vulnerability poses a high risk to organizational security posture and operational continuity.

The primary mitigation is to upgrade LDAP Account Manager to version 9.5 or later, where the vulnerability is patched. Until upgrading is possible, organizations should implement the following specific measures: 1) Restrict file system permissions by making the /var/lib/ldap-account-manager/config directory read-only for the web server user to prevent modification or inclusion of malicious PHP files. 2) Delete or disable PDF profile files to disable the vulnerable PDF export functionality, thereby removing the attack vector. 3) Enforce strong authentication controls on LAM, including multi-factor authentication and strict password policies, to reduce the risk of credential compromise. 4) Monitor LAM logs for unusual access patterns or attempts to access PDF export features. 5) Isolate the LAM server within a segmented network zone with limited access to reduce lateral movement potential. 6) Regularly audit and update all related dependencies and PHP configurations to minimize attack surface. 7) Educate administrators about the vulnerability and ensure timely patch management processes are in place. These targeted mitigations go beyond generic advice by focusing on the specific vulnerable components and attack vectors.