CVE-2026-58652
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-58652, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-02

Last updated on: 2026-07-02

Assigner: VulnCheck

Description

luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-02
Last Modified
2026-07-02
Generated
2026-07-02
AI Q&A
2026-07-02
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
mossdef-org luci-app-advanced-reboot to 1.1.2-6 (exc)
mossdef-org luci-app-advanced-reboot 1.1.2-6

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-58652 is a privilege-escalation vulnerability in the luci-app-travelmate and travelmate packages. It occurs because a LuCI/rpcd session with luci-app-travelmate write permissions is granted config-wide UCI write access to the travelmate configuration. Although the LuCI UI restricts the auto-login script picker to files under /etc/travelmate/*.login, this restriction is only enforced on the frontend.

The backend travelmate service, which runs as root, reads the raw UCI 'script' and 'script_args' values and executes the configured script path when the captive-portal auto-login branch is triggered. An attacker with delegated write permissions can set the 'script' parameter to /bin/sh and supply attacker-controlled arguments in 'script_args', resulting in arbitrary command execution with root privileges.

This vulnerability requires the attacker to have a valid LuCI session with write ACL, travelmate to be enabled with a matching uplink, and the system to reach the auto-login execution path. There is no known patched version currently available.

Impact Analysis

This vulnerability allows an attacker with delegated write permissions in luci-app-travelmate to execute arbitrary commands as the root user on the affected device. This effectively escalates limited management permissions to full root access.

The impact includes complete compromise of confidentiality, integrity, and availability of the device. An attacker could execute any command, modify system files, disrupt services, or gain persistent control over the device.

Devices such as travel routers or small gateways using travelmate are particularly at risk, especially when vendors or operators grant only app-level permissions instead of full root access, mistakenly assuming these permissions are safe.

Detection Guidance

Detection involves checking if the luci-app-travelmate package is installed and if the vulnerable versions (2.4.5-r3 or 2.4.6-1) are present. Additionally, monitoring for unusual UCI configuration changes related to the 'script' and 'script_args' parameters in the travelmate configuration can help identify exploitation attempts.

You can inspect the current UCI configuration for travelmate scripts by running commands like:

  • uci show travelmate | grep script
  • Look for suspicious values such as '/bin/sh' or unexpected script arguments that could indicate exploitation.

Also, check active LuCI/rpcd sessions with write ACLs to luci-app-travelmate, as an attacker requires such permissions to exploit this vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting or revoking write permissions to the luci-app-travelmate configuration to prevent unauthorized changes to the 'script' and 'script_args' parameters.

If possible, disable the travelmate service or the auto-login feature until a patched version is available.

Monitor and audit UCI configurations regularly to detect and revert any unauthorized modifications.

Apply any available patches or updates that address this vulnerability, such as those referenced in openwrt/packages commits 208c01e and 0627b41.

Consider implementing backend validation to enforce stricter script allowlists and reject interpreter paths like /bin/sh, as suggested in the advisory.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58652. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart