Skip to main content

OpenWrt cgi-io CVE-2026-62947

| EUVDEUVD-2026-44756 MEDIUM
Path Traversal (CWE-22)
2026-07-15 GitHub_M
4.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Requires admin-level ubus session (PR:H); network-reachable endpoint (AV:N); impacts only confidentiality via sensitive file disclosure, no integrity or availability impact.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 21:18 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 18:46 vuln.today
Analysis Generated
Jul 15, 2026 - 18:46 vuln.today
CVE Published
Jul 15, 2026 - 17:55 cve.org
MEDIUM 4.9

DescriptionCVE.org

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, the cgi-download handler in cgi-io authorizes the requested path against the caller's ubus session file ACL before canonicalization, and rpcd session.c uses fnmatch() without FNM_PATHNAME, allowing traversal such as an allowed wildcard prefix followed by ../ to read root-readable files including /etc/shadow. This vulnerability is fixed in 25.12.5.

AnalysisAI

Path traversal in OpenWrt's cgi-io cgi-download handler (prior to 25.12.5) allows an authenticated administrator to read arbitrary root-readable files - including /etc/shadow - by exploiting a TOCTOU-style authorization flaw where ACL checks occur before path canonicalization. The rpcd session.c ACL matcher uses fnmatch() without FNM_PATHNAME, meaning a wildcard-prefixed ACL entry (e.g., /etc/config/*) can be defeated by appending ../ sequences that pass the ACL check but resolve to an out-of-scope file when open() is called. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain admin credentials or session token
Delivery
Identify ubus session ACL wildcard path (e.g., /etc/config/*)
Exploit
Craft path with ../ traversal suffix targeting /etc/shadow
Execution
Submit HTTP request to cgi-download endpoint
Persist
fnmatch() ACL check passes without FNM_PATHNAME
Impact
open() resolves traversal and returns root-readable file

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid high-privilege ubus session token with at least one file read ACL grant covering a directory path with a wildcard (e.g., /etc/config/*) - this corresponds to PR:H in the CVSS vector and reflects admin-level access to the OpenWrt management interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.9 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N) correctly reflects that while the confidentiality impact is high - reading /etc/shadow gives access to password hashes enabling offline cracking - the PR:H requirement is a genuine and significant barrier. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained OpenWrt admin credentials - through credential stuffing, phishing, or a prior compromise - authenticates and obtains a ubus session token that includes a file read ACL for /etc/config/*. The attacker then issues a crafted HTTP request to the cgi-download endpoint specifying a path such as /etc/config/../shadow; fnmatch() matches this against /etc/config/* without FNM_PATHNAME and the ACL check passes, but open() resolves the embedded '..' and returns the contents of /etc/shadow, providing password hashes for offline cracking.
Remediation Upgrade to OpenWrt 25.12.5, which introduces path canonicalization before ACL validation in both the cgi-download and main_exec handlers. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-20017 CRITICAL POC
9.8 Mar 04

In wlan service, there is a possible out of bounds write due to improper input validation. Rated critical severity (CVSS

CVE-2020-7982 HIGH POC
8.1 Mar 16

An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. Rated high severity (CVS

CVE-2018-19630 MEDIUM POC
6.1 Nov 28

cgi_handle_request in uhttpd in OpenWrt through 18.06.1 and LEDE through 17.01 has unauthenticated reflected XSS via the

CVE-2025-20654 CRITICAL
9.8 Apr 07

In wlan service, there is a possible out of bounds write due to an incorrect bounds check. Rated critical severity (CVSS

CVE-2019-5102 MEDIUM POC
5.9 Nov 18

An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1

CVE-2019-5101 MEDIUM POC
5.9 Nov 18

An exploitable information leak vulnerability exists in the ustream-ssl library of OpenWrt, versions 18.06.4 and 15.05.1

CVE-2025-20674 CRITICAL
9.8 Jun 02

Remote privilege escalation in Android WLAN AP driver via packet injection.

CVE-2025-20683 CRITICAL
9.8 Jul 08

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es

CVE-2025-20682 CRITICAL
9.8 Jul 08

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es

CVE-2025-20681 CRITICAL
9.8 Jul 08

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local es

CVE-2026-30872 CRITICAL
9.8 Mar 19

Remote code execution in OpenWrt's mDNS daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to

CVE-2026-30871 CRITICAL
9.8 Mar 19

Remote code execution in OpenWrt mdns daemon (versions before 24.10.6 and 25.12.1) allows unauthenticated attackers to c

Share

CVE-2026-62947 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy