Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11450

CVE-2026-11450: GL.iNet GL-MT3000 RCE Vulnerability

CVE-2026-11450 is a remote code execution vulnerability in GL.iNet GL-MT3000 routers affecting version 4.4.5 through command injection in the dlopen function. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-11450 Overview

CVE-2026-11450 is a command injection vulnerability in the GL.iNet GL-MT3000 router running firmware version 4.4.5. The flaw resides in the dlopen function within the /usr/lib/oui-httpd/rpc/ library, specifically in the Path Normalization Handler. Attackers manipulate the dev_name argument to inject operating system commands. The vulnerability is reachable remotely over the network without authentication or user interaction. The vendor confirmed that method-level validation at the HTTP /rpc layer in version 4.7 removes nas-web.eject_disk from the allowed methods whitelist, breaking the exploit chain.

Critical Impact

Unauthenticated remote attackers can execute arbitrary commands on affected GL-MT3000 routers by injecting shell metacharacters into the dev_name parameter of the eject_disk RPC method.

Affected Products

  • GL.iNet GL-MT3000 firmware version 4.4.5
  • GL.iNet GL-MT3000 firmware versions prior to 4.7
  • Component: /usr/lib/oui-httpd/rpc/ Path Normalization Handler

Discovery Timeline

  • 2026-06-07 - CVE-2026-11450 published to NVD
  • 2026-06-08 - Last updated in NVD database

Technical Details for CVE-2026-11450

Vulnerability Analysis

The vulnerability exists in the oui-httpd RPC interface used by GL.iNet routers to expose internal management functions over HTTP. The nas-web.eject_disk method accepts a dev_name parameter that is passed without sanitization into a code path involving dlopen and shell command execution. Attackers supply shell metacharacters in dev_name to break out of the intended argument context and execute arbitrary commands with the privileges of the oui-httpd daemon. The weakness is classified under [CWE-74] (Improper Neutralization of Special Elements in Output Used by a Downstream Component). EPSS data indicates a 1.306% exploitation probability at the 80th percentile.

Root Cause

The root cause is missing input validation on the dev_name argument before it reaches a function that invokes operating system commands. The oui-httpd RPC endpoint accepted the eject_disk method on the default whitelist in firmware 4.4.5, exposing the vulnerable code path to any unauthenticated network caller. No method-level access control or argument neutralization was enforced at the HTTP /rpc boundary.

Attack Vector

An attacker sends a crafted JSON-RPC request to the router's /rpc endpoint invoking nas-web.eject_disk with a malicious dev_name value containing shell metacharacters. Because the parameter is interpolated into a command executed by the path normalization handler, the injected commands run on the device. The attack requires network reachability to the router's HTTP service but no credentials or user interaction. See the GitHub PoC repository for the verified exploitation details and request structure.

// Refer to the verified PoC repository for the exploitation request
// https://github.com/StrTzz123/iot_vul/tree/main/GL-iNet/MT3000/4.4.5/nas_eject_disk_do1_glc_rce

Detection Methods for CVE-2026-11450

Indicators of Compromise

  • HTTP POST requests to the /rpc endpoint containing the method name nas-web.eject_disk from external or untrusted sources.
  • JSON-RPC payloads where the dev_name parameter contains shell metacharacters such as ;, |, `, $(, or &&.
  • Unexpected child processes spawned by the oui-httpd daemon on the router.
  • Outbound connections from the router to unfamiliar IP addresses shortly after /rpc traffic.

Detection Strategies

  • Inspect HTTP request bodies destined for the router management interface for invocations of eject_disk paired with non-alphanumeric characters in dev_name.
  • Correlate router process telemetry to flag oui-httpd spawning shells (sh, ash, busybox) or network utilities.
  • Apply signature-based identification on network sensors for JSON-RPC payloads matching the published PoC structure.

Monitoring Recommendations

  • Restrict and log all access to the router's HTTP management interface, particularly the /rpc path.
  • Forward router syslog and connection telemetry to a centralized logging platform for retrospective analysis.
  • Alert on configuration changes or new persistence mechanisms appearing on GL-MT3000 devices.

How to Mitigate CVE-2026-11450

Immediate Actions Required

  • Upgrade GL-MT3000 firmware to version 4.7 or later, which removes nas-web.eject_disk from the allowed RPC method whitelist.
  • Block access to the router's HTTP management interface from untrusted networks and the public internet.
  • Audit existing devices for signs of prior exploitation, including unexpected processes and outbound connections.

Patch Information

GL.iNet addressed CVE-2026-11450 in firmware version 4.7. According to the vendor statement, method-level validation was introduced at the HTTP /rpc layer. nas-web.eject_disk is no longer in the whitelist of allowed methods, so direct invocation through the default /rpc endpoint returns Invalid params and the vulnerable downstream code path is unreachable. Additional details are available in the VulDB CVE record.

Workarounds

  • Disable remote administration on the GL-MT3000 and confine management access to a trusted LAN segment or VPN.
  • Place the device behind a firewall that drops inbound traffic to TCP ports used by oui-httpd.
  • If upgrade is not immediately possible, segment the router from systems handling sensitive data to limit blast radius.
bash
# Example: restrict management interface to a trusted subnet using iptables on the router
iptables -A INPUT -p tcp --dport 80 -s 192.168.8.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.168.8.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.