CVE-2026-11450
Command Injection in GL.iNet GL-MT3000
Publication date: 2026-06-07
Last updated on: 2026-06-07
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl.inet | gl-mt3000 | 4.4.5 |
| gl.inet | gl-mt3000 | From 4.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability, identified as CVE-2026-11450, exists in the GL.iNet GL-MT3000 router running firmware version 4.4.5. It is a critical unauthenticated command injection flaw located in the /cgi-bin/glc endpoint, specifically within the Path Normalization Handler component. The issue arises because the function handling the dev_name argument performs insufficient validation, allowing an attacker to manipulate this argument to inject arbitrary commands.
The root cause is a buffer size mismatch in the nas-web.so plugin's disk_remove_do function: a 64-byte buffer is used for path validation via access(), but a larger 256-byte buffer is used for command construction via system(). An attacker can craft a dev_name parameter that passes the access() check but includes malicious command injection payloads executed by system(), resulting in arbitrary command execution as root without authentication.
The vulnerability can be exploited remotely, and upgrading to firmware version 4.7 mitigates the issue by enabling method-level validation and removing dangerous methods from the allowed whitelist.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the affected device with root privileges. This can lead to full compromise of the router, including unauthorized access, data theft, device manipulation, or using the device as a foothold for further attacks within the network.
Because the exploit requires no authentication and can be triggered remotely, it poses a significant security risk, potentially disrupting network operations and exposing sensitive information.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the GL-iNet GL-MT3000 device is running firmware version 4.4.5 and if the /cgi-bin/glc endpoint is accessible without authentication.
A practical detection method involves sending crafted JSON requests to the /cgi-bin/glc endpoint with a specially constructed dev_name parameter to test for command injection.
For example, you can use curl to send a test request that attempts to execute a harmless command and observe if it succeeds:
- curl -X POST http://[device_ip]/cgi-bin/glc -d '{"method":"nas-web.eject_disk","params":{"dev_name":"//////////////////////////////null$(id > /tmp/out)"}}' -H 'Content-Type: application/json'
If the command injection is successful, the command output (e.g., user id) will be written to /tmp/out on the device, indicating the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation step is to upgrade the GL.iNet GL-MT3000 device firmware to version 4.7 or later.
Version 4.7 and onward include method-level validation at the HTTP /rpc layer, removing the nas-web.eject_disk method from the whitelist and blocking the remote exploit chain.
Until the upgrade can be applied, consider restricting access to the /cgi-bin/glc endpoint to trusted networks or IP addresses and implementing authentication if possible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote command injection with root privileges on the GL.iNet GL-MT3000 device. Such a security flaw can lead to unauthorized access, data breaches, and potential manipulation or exfiltration of sensitive information.
Because of the risk of unauthorized access and potential data compromise, this vulnerability could negatively impact compliance with common standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Mitigating this vulnerability by upgrading to version 4.7, which includes method-level validation and disables dangerous remote calls, is advisable to maintain compliance with these standards.