CVE-2026-30874
Environment Variable Injection in OpenWrt Hotplug Enables Privilege Escalation
Publication date: 2026-03-19
Last updated on: 2026-03-23
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openwrt | openwrt | to 24.10.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-187 | The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the OpenWrt Project's hotplug_call function in versions prior to 24.10.6. The function is supposed to filter out sensitive environment variables like PATH when executing hotplug scripts, but due to a bug using strcmp instead of strncmp, the filter fails to detect and exclude the PATH variable.
Because the filter compares the full environment string (e.g., PATH=/some/value) against the literal "PATH" and always fails, the PATH variable is never excluded. This allows an attacker to inject an arbitrary PATH variable, controlling which binaries are executed by scripts running with elevated privileges, potentially leading to privilege escalation.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to escalate their privileges on a device running a vulnerable version of OpenWrt by injecting a malicious PATH environment variable.
By controlling the PATH variable, the attacker can influence which binaries are executed by privileged scripts, potentially executing malicious code with elevated privileges.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is fixed in OpenWrt version 24.10.6. The immediate step to mitigate this vulnerability is to upgrade your OpenWrt system to version 24.10.6 or later.
This update corrects the hotplug_call function to properly filter out the PATH environment variable, preventing attackers from injecting arbitrary PATH values and escalating privileges.