LDAP Account Manager (LAM) is a web-based interface used to manage LDAP directory entries such as users, groups, and DHCP settings. In versions prior to 9.5, the PDF export component contains a vulnerability (CVE-2026-27895) due to incorrect regular expression validation of uploaded file extensions (CWE-185). This flaw allows an attacker with at least low-level authenticated access to upload files of any type, including malicious PHP scripts, bypassing intended file type restrictions. Once uploaded, these files can be executed by the web server, resulting in remote code execution (RCE) under the web server's user context. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The issue was publicly disclosed in March 2026, with no known active exploits in the wild at the time of publication. The vendor addressed the vulnerability in LAM version 9.5 by properly validating file uploads. A recommended workaround before upgrading is to restrict write permissions on the /var/lib/ldap-account-manager/config directory to prevent unauthorized file uploads by the web server process.

Successful exploitation of this vulnerability can lead to remote code execution on the server hosting LDAP Account Manager, compromising the confidentiality and integrity of the system and potentially the broader network. Attackers could execute arbitrary commands, modify LDAP data, or pivot to other internal systems. Although the web server user privileges may be limited, attackers can leverage this foothold for further privilege escalation or lateral movement. Organizations relying on LAM for critical LDAP management risk disruption of directory services, unauthorized data access, and potential exposure of sensitive user and group information. The vulnerability's medium CVSS score reflects the need for authentication and limited impact on confidentiality but highlights the serious risk posed by remote code execution capabilities.

The primary mitigation is to upgrade LDAP Account Manager to version 9.5 or later, where the vulnerability is fixed. Until an upgrade is possible, administrators should implement the workaround by making the /var/lib/ldap-account-manager/config directory read-only for the web server user to prevent unauthorized file uploads. Additionally, organizations should restrict access to the LAM interface to trusted networks and authenticated users only, minimizing exposure. Employing web application firewalls (WAFs) to detect and block suspicious file upload attempts can provide an additional layer of defense. Regularly auditing uploaded files and monitoring web server logs for anomalous activity can help detect exploitation attempts early. Finally, applying the principle of least privilege to the web server user and isolating the LAM application environment can limit the impact of a successful attack.