Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable via LuCI/rpcd but needs an existing delegated write ACL (PR:L) and the auto-login branch to fire (AC:H); escalating a scoped ACL to root crosses an authority boundary (S:C) with full root impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.
AnalysisAI
Root-level command injection in OpenWrt's luci-app-travelmate/travelmate (confirmed in 2.4.5-r3, sink still present in 2.4.6-1) lets an rpcd/LuCI session holding only the luci-app-travelmate write ACL escalate to arbitrary command execution as root. The LuCI UI limits the auto-login script picker to /etc/travelmate/*.login, but that is a frontend-only check: the root-run backend reads the raw UCI 'script' and 'script_args' values, so an attacker sets script to /bin/sh with controlled arguments to run commands as root when the captive-portal auto-login branch fires. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid LuCI/rpcd session that already holds the delegated luci-app-travelmate write ACL (PR:L - not unauthenticated), the ability to write the travelmate UCI 'script' and 'script_args' values, and the captive-portal auto-login branch in f_check() (travelmate-functions.sh) actually being reached so the root service executes the configured path. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (7.7, AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H) is internally consistent with the description: network-reachable via LuCI/rpcd, but gated by an existing delegated ACL (PR:L) and by the practical requirement that the captive-portal auto-login branch actually execute (AT:P/AC:H), while impact is full root code execution (high C/I/A). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An operator or integrator grants a lower-tier admin the luci-app-travelmate write ACL to let them manage Wi-Fi uplinks; that user sets the travelmate UCI 'script' to /bin/sh and 'script_args' to an attacker-controlled command string. When the device next hits a captive portal and travelmate's root service enters the auto-login branch, it executes the attacker's command as root, yielding full device takeover. … |
| Remediation | Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fixes referenced in the GHSA advisory (https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g) via the openwrt/luci commits f85102548ee8325bfd581a0327b210b5f7670829, 491f1df06645c4e0757fed4a9f0622e9ce0d300c, 71d92bcc9edbc8f95858ce82a8ff5d52500005a2, 0627b412ee3a760cc4bca9fc8a5b73de8f33ac10, and d6e457a1a70a9010195edeafdc0b8eb6e3b0f7f1, or rebuild the package from a source tree containing them, since the description indicates no tagged release is yet confirmed clean (2.4.6-1 still vulnerable). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit all OpenWrt deployments running luci-app-travelmate versions 2.4.5-r3 and 2.4.6-1. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41366
GHSA-x6j4-vgjq-5839