CVE-2026-46368
Command Injection in luci-app-https-dns-proxy
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-46368 is a high-severity authenticated command injection vulnerability in the luci-app-https-dns-proxy package, an optional LuCI web UI add-on for OpenWrt. The flaw exists in the setInitAction function, where an authenticated user with the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call. This injection leads to arbitrary command execution as root on the affected device.
This vulnerability only affects installations that have explicitly installed the luci-app-https-dns-proxy package; the core OpenWrt system is not impacted.
How can this vulnerability impact me? :
This vulnerability allows an authenticated user with limited privileges to execute arbitrary commands as the root user on the affected device. This can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of system files, disruption of services, and potential installation of persistent malicious software.
Because the attacker gains root-level access, the impact on confidentiality, integrity, and availability of the device and its data is severe.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the luci-app-https-dns-proxy package is installed on your OpenWrt device and whether it is a version up to and including 2025.12.29-5.
Detection involves verifying if an authenticated user with luci.https-dns-proxy ACL permission can send ubus RPC calls to the setInitAction function with crafted 'name' parameters that include shell metacharacters.
While no explicit detection commands are provided, you can check for the presence of the vulnerable package and its version using OpenWrt package management commands such as:
- opkg list-installed | grep luci-app-https-dns-proxy
- opkg info luci-app-https-dns-proxy
Additionally, monitoring ubus RPC calls to luci.https-dns-proxy setInitAction for suspicious 'name' parameter values containing shell metacharacters could help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include removing or disabling the luci-app-https-dns-proxy package if it is not required, as the core OpenWrt system is not affected.
If the package is needed, restrict access to users with the luci.https-dns-proxy ACL permission and ensure only trusted users have this permission.
Apply any available updates or patches that address this vulnerability once they are released.
Monitor your system for suspicious activity related to ubus RPC calls to luci.https-dns-proxy setInitAction and consider resetting credentials if compromise is suspected.