CVE-2026-45776: OpenXDMoD SUPReMM Access Control Bypass – Patch to 11.0.3
OpenXDMoD is an open-source framework used by HPC (high-performance computing) centers to collect and monitor system performance metrics. Versions before 11.0.3 contain a session-handling flaw that allows an authenticated attacker to manipulate authorization checks. If an installation includes the optional Job Performance (SUPReMM) module, an attacker could view other users' job efficiency data they shouldn't have access to. The vulnerability requires an existing login but does not require admin privileges.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-284
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD includes the optional Job Performance (SUPReMM) module, an attacker could bypass intended data access restrictions and view other users' compute job efficiency metrics. All deployments of Open XDMoD prior to version 11.0.3 that contain the optional Job Performance (SUPReMM) module are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45776 stems from improper access control in OpenXDMoD's session variable handling. An attacker with valid credentials can craft a POST request to set a session variable that is later used in authorization decisions. The flaw is specifically triggered when the SUPReMM module is active. The resulting bypass is limited to unauthorized read access to job performance metrics; no data modification or system availability impact occurs. The vulnerability scored CVSS 4.3 (MEDIUM) under CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, reflecting the requirement for prior authentication and the confined scope of information disclosure.
Business impact
For research institutions and national labs relying on OpenXDMoD to track HPC resource usage, unauthorized visibility into job efficiency metrics can undermine user privacy and competitive advantage in research workflows. Users may be unaware their performance data is exposed to other authenticated users. No direct operational downtime or data destruction occurs, but data sensitivity in academic and scientific settings may trigger compliance or policy violations. Reputational impact depends on the sensitivity of workload data visible through the metrics.
Affected systems
All deployments of OpenXDMoD prior to version 11.0.3 are vulnerable if the optional Job Performance (SUPReMM) module is installed. Installations without SUPReMM are not impacted. The vulnerability affects the framework itself; impact scope is limited to authenticated users within an OpenXDMoD installation.
Exploitability
Exploitation requires an attacker to possess valid credentials to the OpenXDMoD instance—either a personal account or compromised user credentials. No authentication bypass is present; the flaw only affects authorization after login. The technical bar is low: an HTTP POST request with a crafted session variable. No user interaction, social engineering, or complex tooling is required. As of the published date (2026-06-05), no active exploitation in the wild has been reported.
Remediation
OpenXDMoD 11.0.3, released on 2026-05-12, patches the session variable handling and access control logic. Organizations must upgrade to this version or later. A manual patch option is documented by the vendor for environments where immediate version upgrades are not feasible; consult the OpenXDMoD advisory for backported patch details. After patching, affected users' historical data exposure cannot be reversed but future access is controlled.
Patch guidance
Upgrade OpenXDMoD to version 11.0.3 or later. Verify the SUPReMM module status in your deployment configuration; if not installed, the vulnerability does not apply but patching for general security posture remains recommended. Test the upgrade in a non-production environment first, as OpenXDMoD integrations with HPC schedulers may require configuration validation. Review any access logs between the initial CVE publication date (2026-04-06) and your patching date to identify suspicious session activity. The vendor's advisory should be consulted for specific upgrade procedures and any breaking changes.
Detection guidance
Monitor web server logs for POST requests to OpenXDMoD that attempt to set or modify session variables. Look for requests from authenticated users targeting administrative or configuration endpoints they don't typically access. If SUPReMM is enabled, audit access to job performance query endpoints and cross-reference with user role assignments. Application-level logging in OpenXDMoD (if enabled) should show unusual session state modifications. However, detection is challenging if logs are not retained; proactive patching is more reliable than reactive detection for this flaw.
Why prioritize this
Although the CVSS score is moderate (4.3), priority should be elevated for installations with sensitive research workloads or strict data governance requirements. The barrier to exploitation is low (valid credentials only), and the privacy implications for job metrics may exceed the raw severity score. Academic and national labs handling proprietary or classified computing tasks should treat this as high-priority. Commercial HPC centers with SLAs or regulatory obligations should patch within 30 days. Low-risk test or development deployments can be deprioritized but should not be ignored indefinitely.
Risk score, explained
The CVSS 4.3 MEDIUM score reflects: (1) Network attack vector (attacker can exploit remotely), (2) Low attack complexity (standard HTTP POST), (3) Low privileges required (authenticated user), (4) No user interaction needed, (5) Confidentiality impact limited to one user's unauthorized view of another's metrics, and (6) No integrity or availability impact. The score appropriately penalizes the authentication requirement and confined scope, but does not fully capture privacy risk in regulated or highly sensitive research environments. Organizations should consider contextual risk elevation based on data classification.
Frequently asked questions
Do I need to patch if I don't use the SUPReMM module?
No. The vulnerability only manifests when the optional Job Performance (SUPReMM) module is installed and enabled. If your deployment does not include SUPReMM, this CVE does not apply. However, you may still wish to update OpenXDMoD for other security and stability improvements.
Can an attacker without a login exploit this?
No. An attacker must have valid credentials to an OpenXDMoD instance. The flaw does not bypass authentication; it bypasses authorization checks for authenticated users. If your OpenXDMoD installation restricts logins to your organization, the risk is limited to insider threats or compromised user accounts.
What data is at risk?
Only job efficiency and performance metrics within the SUPReMM module are exposed. This includes metrics such as job runtime, CPU utilization, memory usage, and I/O performance. User account passwords, system configurations, and compute results are not directly compromised by this vulnerability.
Is there evidence this has been actively exploited?
No. As of the CVE publication date, there is no publicly reported evidence of active exploitation in the wild. The vulnerability was reported privately on 2026-04-06 and patched by the vendor on 2026-05-12, limiting the window for undetected attacks. However, proactive patching is recommended rather than waiting for exploitation reports.
This analysis is based on information available as of the CVE publication date and does not constitute professional security advice. Organizations should verify patch availability and compatibility in their specific OpenXDMoD deployments by consulting the official OpenXDMoD security advisories and release notes. Patch version numbers and vendor URLs must be independently confirmed. Testing in non-production environments is mandatory before deploying patches to production systems. This assessment makes no claim regarding the completeness or timeliness of vulnerability disclosure and should be supplemented with internal risk assessment and vendor communications. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler