CVE-2026-26793
Command Injection in GL-iNet GL-AR300M16 Allows Remote Code Execution
Publication date: 2026-03-12
Last updated on: 2026-03-13
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl-inet | ar300m16_firmware | 4.3.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows remote attackers with valid admin access to execute arbitrary commands on the affected router. This can lead to unauthorized control over the device, including the ability to modify configurations, create or delete files, and potentially use the router as a foothold to attack other devices on the network.
Such control compromises the security and integrity of the router, potentially leading to data breaches, network disruptions, or further exploitation within the network environment.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-26793 is a command injection vulnerability found in the GL-iNet GL-AR300M16 router firmware version 4.3.11. The issue exists in the set_config function of the WireGuard server configuration module, where user input from the private_key parameter is directly concatenated into system commands without proper sanitization or validation.'}, {'type': 'paragraph', 'content': "An attacker who has access to the router's RPC interface and valid admin credentials can exploit this vulnerability by sending a specially crafted JSON-RPC request. This request includes malicious commands embedded in the private_key field, allowing the attacker to execute arbitrary system commands on the device."}] [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by sending a specially crafted HTTP JSON-RPC request to the router's RPC endpoint (e.g., http://192.168.2.10/rpc) that targets the set_config function with a malicious payload in the private_key field."}, {'type': 'paragraph', 'content': "Detection involves verifying if the device executes arbitrary commands embedded in the private_key parameter. For example, sending a payload that creates a file such as 'echo 1234>/www/pwntest1.txt' can confirm the vulnerability if the file is created."}, {'type': 'paragraph', 'content': 'The request must include appropriate headers mimicking legitimate traffic, including a valid admin token cookie.'}, {'type': 'paragraph', 'content': 'A practical approach is to use a Python script with the requests library to send the crafted JSON-RPC request to the device and check for the side effects of command execution.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know