CVE-2026-26791
Command Injection in GL-iNet GL-AR300M16 Enables Remote Code Execution
Publication date: 2026-03-12
Last updated on: 2026-03-16
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl-inet | ar300m16_firmware | 4.3.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26791 is a command injection vulnerability found in the GL-iNet GL-AR300M16 router firmware version 4.3.11. The issue exists in the function called enable_echo_server, which processes a parameter named port without proper sanitization or validation.'}, {'type': 'paragraph', 'content': 'Because the port parameter is directly embedded into system commands and executed, an attacker can craft malicious input that injects arbitrary shell commands. This allows the attacker to execute any command on the device with elevated privileges.'}, {'type': 'paragraph', 'content': "Exploitation involves sending a specially crafted HTTP JSON-RPC request to the router's RPC endpoint, including a malicious port parameter that contains shell commands. For example, an attacker can write arbitrary data to files on the device, demonstrating full command execution capability."}] [1]
How can this vulnerability impact me? :
This vulnerability allows attackers with network access and valid admin tokens to remotely execute arbitrary commands on the affected router.
Such command execution can lead to complete compromise of the device, including unauthorized access to sensitive data, modification or deletion of files, installation of malware, or using the device as a foothold to attack other network resources.
Because the attacker can run commands with elevated privileges, the impact is critical and can severely affect the security and integrity of your network environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending a crafted HTTP JSON-RPC POST request to the router's RPC endpoint that attempts to exploit the command injection via the port parameter in the enable_echo_server function."}, {'type': 'paragraph', 'content': 'An example detection method involves using a script or command to send a POST request to http://<router-ip>/rpc with a JSON payload calling enable_echo_server and injecting a harmless command such as writing a test string to a file.'}, {'type': 'list_item', 'content': 'Use curl or a similar tool to send a POST request with a JSON payload like: {"method":"enable_echo_server","params":["7 $(echo test123 >/www/test.txt)"]}'}, {'type': 'list_item', 'content': 'Check the device filesystem for the presence of the test file (e.g., /www/test.txt) containing the injected string to confirm vulnerability.'}, {'type': 'list_item', 'content': 'Alternatively, use a Python script with the requests library to automate sending the crafted request and analyze the HTTP response for signs of successful command execution.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know