Executive Summary

CVE-2026-46368 is a high-severity authenticated command injection vulnerability in the luci-app-https-dns-proxy package, an optional LuCI web UI add-on for OpenWrt. The flaw exists in the setInitAction function, where an authenticated user with the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call. This injection leads to arbitrary command execution as root on the affected device.

This vulnerability only affects installations that have explicitly installed the luci-app-https-dns-proxy package; the core OpenWrt system is not impacted.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated user with limited privileges to execute arbitrary commands as the root user on the affected device. This can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of system files, disruption of services, and potential installation of persistent malicious software.

Because the attacker gains root-level access, the impact on confidentiality, integrity, and availability of the device and its data is severe.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the luci-app-https-dns-proxy package is installed on your OpenWrt device and whether it is a version up to and including 2025.12.29-5.

Detection involves verifying if an authenticated user with luci.https-dns-proxy ACL permission can send ubus RPC calls to the setInitAction function with crafted 'name' parameters that include shell metacharacters.

While no explicit detection commands are provided, you can check for the presence of the vulnerable package and its version using OpenWrt package management commands such as:

• opkg list-installed | grep luci-app-https-dns-proxy
• opkg info luci-app-https-dns-proxy

Additionally, monitoring ubus RPC calls to luci.https-dns-proxy setInitAction for suspicious 'name' parameter values containing shell metacharacters could help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include removing or disabling the luci-app-https-dns-proxy package if it is not required, as the core OpenWrt system is not affected.

If the package is needed, restrict access to users with the luci.https-dns-proxy ACL permission and ensure only trusted users have this permission.

Apply any available updates or patches that address this vulnerability once they are released.

Monitor your system for suspicious activity related to ubus RPC calls to luci.https-dns-proxy setInitAction and consider resetting credentials if compromise is suspected.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows an authenticated user with specific permissions to execute arbitrary commands as root on the affected device, which can lead to unauthorized access and control over sensitive data and system functions.

Such unauthorized root access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.

However, the vulnerability only affects installations that have explicitly opted in to the luci-app-https-dns-proxy package, and not the core OpenWrt system.

Useful 0 Not Useful 0