CVE-2026-5841
Path Traversal in Tenda i3 HTTP Handler Enables Remote Exploit
Publication date: 2026-04-09
Last updated on: 2026-04-30
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | i3_firmware | 1.0.0.6(2204) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-5841 vulnerability affects the Tenda i3 router firmware version V1.0.0.6(2204). It is an authentication bypass issue in the R7WebsSecurityHandler function, which acts as a security filter for HTTP requests.
The vulnerability occurs because the function uses the C library function 'strncmp' to check if the requested URL starts with certain whitelisted prefixes (like '/public/' or '/lang/'). If the prefix matches, access is allowed without authentication.
However, the function does not properly validate or canonicalize the rest of the URL after the prefix. This allows an unauthenticated remote attacker to craft HTTP requests that start with a whitelisted prefix but include directory traversal sequences ('../') to escape the restricted directory.
For example, a request to '/lang/../system_upgrade.asp' passes the prefix check and bypasses authentication, but the web server resolves this path to a sensitive administrative page, granting the attacker full administrative access.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to bypass security controls and gain full administrative access to the affected Tenda i3 router.
With administrative access, attackers can manipulate device settings, potentially disrupt network operations, install malicious firmware, or access sensitive information.
Because the exploit is publicly available, the risk of attacks exploiting this vulnerability is high.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP requests to the Tenda i3 router for suspicious URL patterns that exploit the path traversal bypass. Specifically, look for HTTP GET requests that start with whitelisted prefixes such as "/public/" or "/lang/" but include directory traversal sequences like "../" to access restricted files.
A practical detection method is to capture and analyze network traffic targeting the router's web interface and search for requests similar to the proof-of-concept example:
- GET /lang/../system_upgrade.asp HTTP/1.1
You can use tools like tcpdump or Wireshark to capture HTTP traffic and grep or filter for such patterns. For example, using tcpdump on the network interface connected to the router:
- tcpdump -i <interface> -A 'tcp port 80 and (((ip dst <router_ip>) and (tcp[32:4] = 0x47455420)) or ((ip src <router_ip>) and (tcp[32:4] = 0x48545450)))' | grep -E '/(public|lang)/\.\./'
This command captures HTTP GET requests to or from the router IP and filters for URLs containing the whitelisted prefixes followed by directory traversal sequences.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web interface to trusted networks or IP addresses to reduce exposure to unauthenticated remote attacks.
Additionally, monitor and block HTTP requests that attempt to exploit the path traversal by filtering URLs containing directory traversal sequences following whitelisted prefixes.
If possible, update the router firmware to a version where this vulnerability is patched or contact the vendor for a security update.
As a temporary workaround, disable remote management of the router's web interface to prevent external attackers from exploiting this issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated remote attackers to bypass security controls and gain full administrative access to the affected Tenda i3 device. This unauthorized access could lead to exposure or manipulation of sensitive data managed by the device.
Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
However, the provided information does not explicitly state the direct impact on these regulations or compliance frameworks.