Security Advisory - Published 2026-06-12 - Open XDMoD / HPC portal

Open XDMoD CVE-2026-45777: unauthenticated RCE self-check

CVE-2026-45777 affects Open XDMoD 9.5.0 through 11.0.2. For an HPC center, this is not just a dashboard bug: the web server process may sit near scheduler data, identity integrations, usage metrics, exports, and internal hostnames. Upgrade and log review should happen together.

Defensive scope: this page covers version checks, exposure reduction, patching, log review, and compromise triage. It does not include command-injection payloads, unauthenticated test requests, or instructions for probing public portals.

Who is affected

  • Product: Open XDMoD.
  • Affected range: 9.5.0 through 11.0.2.
  • Fixed version: 11.0.3 or newer.
  • Primary risk: unauthenticated remote code execution as the web-server process.

Version and service check

rpm -qa | grep -i xdmod
dpkg -l | grep -i xdmod
find /etc /usr/share /var/www -maxdepth 4 -iname '*xdmod*' 2>/dev/null | head -80
systemctl status httpd apache2 nginx php-fpm 2>/dev/null

If the public portal is on 9.5.0 through 11.0.2, plan the 11.0.3 update before doing any extra testing. A public login page is still an exposed web application.

Exposure to reduce now

  • Limit the Open XDMoD web UI to campus, VPN, SSO proxy, or known administrative networks where possible.
  • Keep export and dashboard functions available only to authenticated users that need them.
  • Back up application config, database, Apache/Nginx config, and scheduler integration config before patching.
  • Do not delete logs. The web-server and PHP logs are the first evidence if the portal was hit.

Logs and compromise signs

  • Web requests from unfamiliar IPs immediately followed by php-fpm, Apache, or Nginx errors.
  • Unexpected child processes owned by the web-server user.
  • Changed Open XDMoD config files, cron entries, writable web directories, or export folders.
  • Outbound connections from the portal host that do not match normal update, email, metrics, or identity traffic.
  • New files under web-writable directories after June 5, 2026.

Safe fix path

  1. Upgrade Open XDMoD to 11.0.3 or newer.
  2. Patch the host operating system and PHP stack during the same maintenance window if they are behind.
  3. Restart web services and confirm dashboards, exports, and login still work for authorized users.
  4. Review web-server process activity from the last seven days.
  5. Rotate application secrets if logs or filesystem review show signs of command execution or file changes.

When to request repair help

Use Ping7 CVE Repair if the portal was public, you cannot take it offline cleanly, or you found suspicious web-server process activity. Send the Open XDMoD version, web server type, exposure status, and the first suspicious timestamp.

References