Skip to main content

luci-app-travelmate CVE-2026-58652

| EUVDEUVD-2026-41366 HIGH
OS Command Injection (CWE-78)
2026-07-02 VulnCheck GHSA-x6j4-vgjq-5839
7.7
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.5 HIGH

Network-reachable via LuCI/rpcd but needs an existing delegated write ACL (PR:L) and the auto-login branch to fire (AC:H); escalating a scoped ACL to root crosses an authority boundary (S:C) with full root impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 13:16 vuln.today

DescriptionCVE.org

luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.

AnalysisAI

Root-level command injection in OpenWrt's luci-app-travelmate/travelmate (confirmed in 2.4.5-r3, sink still present in 2.4.6-1) lets an rpcd/LuCI session holding only the luci-app-travelmate write ACL escalate to arbitrary command execution as root. The LuCI UI limits the auto-login script picker to /etc/travelmate/*.login, but that is a frontend-only check: the root-run backend reads the raw UCI 'script' and 'script_args' values, so an attacker sets script to /bin/sh with controlled arguments to run commands as root when the captive-portal auto-login branch fires. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to LuCI/rpcd with travelmate write ACL
Delivery
Set UCI script=/bin/sh and script_args=payload
Exploit
Wait for captive-portal auto-login branch in f_check()
Execution
Root service executes attacker path
Impact
Arbitrary command execution as root

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid LuCI/rpcd session that already holds the delegated luci-app-travelmate write ACL (PR:L - not unauthenticated), the ability to write the travelmate UCI 'script' and 'script_args' values, and the captive-portal auto-login branch in f_check() (travelmate-functions.sh) actually being reached so the root service executes the configured path. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (7.7, AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H) is internally consistent with the description: network-reachable via LuCI/rpcd, but gated by an existing delegated ACL (PR:L) and by the practical requirement that the captive-portal auto-login branch actually execute (AT:P/AC:H), while impact is full root code execution (high C/I/A). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator or integrator grants a lower-tier admin the luci-app-travelmate write ACL to let them manage Wi-Fi uplinks; that user sets the travelmate UCI 'script' to /bin/sh and 'script_args' to an attacker-controlled command string. When the device next hits a captive portal and travelmate's root service enters the auto-login branch, it executes the attacker's command as root, yielding full device takeover. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the fixes referenced in the GHSA advisory (https://github.com/openwrt/luci/security/advisories/GHSA-p35r-3323-6g7g) via the openwrt/luci commits f85102548ee8325bfd581a0327b210b5f7670829, 491f1df06645c4e0757fed4a9f0622e9ce0d300c, 71d92bcc9edbc8f95858ce82a8ff5d52500005a2, 0627b412ee3a760cc4bca9fc8a5b73de8f33ac10, and d6e457a1a70a9010195edeafdc0b8eb6e3b0f7f1, or rebuild the package from a source tree containing them, since the description indicates no tagged release is yet confirmed clean (2.4.6-1 still vulnerable). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit all OpenWrt deployments running luci-app-travelmate versions 2.4.5-r3 and 2.4.6-1. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-58652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy