CVE-2026-30874
Received Received - Intake
Environment Variable Injection in OpenWrt Hotplug Enables Privilege Escalation

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
OpenWrt Project is a Linux operating system targeting embedded devices. In versions prior to 24.10.6, a vulnerability in the hotplug_call function allows an attacker to bypass environment variable filtering and inject an arbitrary PATH variable, potentially leading to privilege escalation. The function is intended to filter out sensitive environment variables like PATH when executing hotplug scripts in /etc/hotplug.d, but a bug using strcmp instead of strncmp causes the filter to compare the full environment string (e.g., PATH=/some/value) against the literal "PATH", so the match always fails. As a result, the PATH variable is never excluded, enabling an attacker to control which binaries are executed by procd-invoked scripts running with elevated privileges. This issue has been fixed in version 24.10.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-06-16
AI Q&A
2026-03-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30874
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openwrt openwrt to 24.10.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-187 The product performs a comparison that only examines a portion of a factor before determining whether there is a match, such as a substring, leading to resultant weaknesses.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the OpenWrt Project's hotplug_call function in versions prior to 24.10.6. The function is supposed to filter out sensitive environment variables like PATH when executing hotplug scripts, but due to a bug using strcmp instead of strncmp, the filter fails to detect and exclude the PATH variable.

Because the filter compares the full environment string (e.g., PATH=/some/value) against the literal "PATH" and always fails, the PATH variable is never excluded. This allows an attacker to inject an arbitrary PATH variable, controlling which binaries are executed by scripts running with elevated privileges, potentially leading to privilege escalation.

Impact Analysis

This vulnerability can allow an attacker to escalate their privileges on a device running a vulnerable version of OpenWrt by injecting a malicious PATH environment variable.

By controlling the PATH variable, the attacker can influence which binaries are executed by privileged scripts, potentially executing malicious code with elevated privileges.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in OpenWrt version 24.10.6. The immediate step to mitigate this vulnerability is to upgrade your OpenWrt system to version 24.10.6 or later.

This update corrects the hotplug_call function to properly filter out the PATH environment variable, preventing attackers from injecting arbitrary PATH values and escalating privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart