CVE-2026-29782 is a deserialization of untrusted data vulnerability (CWE-502) found in OpenSTAManager, an open-source technical assistance and invoicing management software. The vulnerability exists in the oauth2.php file prior to version 2.10.2, which exposes an unauthenticated endpoint with $skip_permissions set to true. This endpoint accepts a GET parameter named 'state' that is used to load a record from the zz_oauth2 database table. During the OAuth2 configuration flow, the application calls PHP's unserialize() function on the access_token field of this record without any class restrictions or validation. Because the data is attacker-controlled and unserialized without safeguards, this can lead to remote code execution (RCE) or other malicious object injection attacks. The CVSS v3.1 score is 7.2 (high), reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability. Although exploitation requires some privileges to control the 'state' parameter, the endpoint itself is unauthenticated, increasing risk. The vulnerability has been patched in OpenSTAManager version 2.10.2. No known exploits in the wild have been reported to date.

Successful exploitation of this vulnerability can lead to full compromise of the affected OpenSTAManager instance. Attackers can execute arbitrary code remotely, potentially gaining control over the server hosting the application. This threatens the confidentiality of sensitive invoicing and technical assistance data, compromises data integrity by allowing unauthorized modifications, and impacts availability through potential denial-of-service conditions or system instability. Organizations relying on OpenSTAManager for business-critical operations face risks of data breaches, financial fraud, and operational disruption. Given the unauthenticated nature of the vulnerable endpoint, attackers can attempt exploitation remotely over the network, increasing the attack surface. The requirement for some privilege to influence the 'state' parameter somewhat limits exploitation but does not eliminate risk, especially in environments with weak access controls or insider threats.

The primary mitigation is to upgrade OpenSTAManager to version 2.10.2 or later, where the vulnerability has been patched. Until upgrade is possible, organizations should restrict access to the oauth2.php endpoint by implementing network-level controls such as IP whitelisting or VPN-only access. Additionally, review and harden OAuth2 configuration flows to ensure that untrusted input is never passed directly to unserialize() or similar unsafe functions. Employ application-layer firewalls or runtime application self-protection (RASP) tools to detect and block malicious deserialization attempts. Conduct thorough code audits to identify and refactor any other uses of unserialize() without class restrictions. Monitor logs for suspicious activity related to the 'state' parameter or OAuth2 endpoints. Finally, implement strong privilege separation and minimize permissions to reduce the ability of attackers to manipulate parameters used in deserialization.