Unsafe Deserialization Vulnerability in openITCOCKPIT Monitoring Tool
CVE-2026-24891

7.5HIGH

Key Information:

Vendor: Openitcockpit
Status: Openitcockpit
Vendor: CVE Published:; 20 February 2026

🔔 Create Openitcockpit Vulnerability Alert

What is CVE-2026-24891?

The openITCOCKPIT monitoring tool has a vulnerability in its Gearman worker implementation that allows for unsafe deserialization of job payloads. Specifically, the unsanitized use of PHP's unserialize() function poses risks when payloads are processed without enforcing class restrictions or validating data sources. This oversight can lead to PHP Object Injection, potentially allowing attackers from untrusted systems to submit malicious serialized data if Gearman service is exposed. The risk is amplified in misconfigured deployments where Gearman listens on non-local interfaces or allows open TCP access to port 4730. Upgrading to version 5.4.0 addresses this issue by enforcing necessary data validation within application code.

Affected Version(s)

openITCOCKPIT < 5.4.0

References

https://github.com/openITCOCKPIT/openITCOCKPIT/security/a...

x_refsource_CONFIRM

https://github.com/openITCOCKPIT/openITCOCKPIT/releases/t...

x_refsource_MISC

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 20, 2026
Vulnerability Reserved
Jan 27, 2026

CVE-2026-24891 Data

JSON