CVE-2026-14736 Overview
CVE-2026-14736 is an unrestricted file upload vulnerability affecting Ruijie RG-UAC devices up to version 1.0-R1.8.2.p5. The flaw resides in an unknown function within the user_auth_commit.php file. Attackers can manipulate the upload_image argument to bypass upload restrictions and place arbitrary files on the appliance. The issue is exploitable remotely without authentication or user interaction. Public exploit details have been disclosed, increasing the likelihood of opportunistic attacks against exposed devices. The weakness is categorized under [CWE-284] (Improper Access Control).
Critical Impact
Remote, unauthenticated attackers can upload arbitrary files to user_auth_commit.php, potentially enabling web shell deployment and further compromise of the network appliance.
Affected Products
- Ruijie RG-UAC (Unified Access Controller)
- Firmware versions up to and including 1.0-R1.8.2.p5
- Deployments exposing the user_auth_commit.php endpoint
Discovery Timeline
- 2026-07-05 - CVE-2026-14736 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2026-14736
Vulnerability Analysis
The vulnerability exists in the user_auth_commit.php handler on Ruijie RG-UAC appliances. The endpoint processes an upload_image parameter without enforcing proper access control or file type validation. An attacker sends a crafted HTTP request that manipulates the upload_image argument to write attacker-controlled content to the file system.
Because the endpoint is reachable over the network and does not require prior authentication, exploitation can be scripted and repeated. Successful upload of executable content, such as a PHP web shell, would allow adversaries to run commands within the web server context on the device.
Root Cause
The underlying weakness is improper access control [CWE-284] on the file upload routine. The application accepts the upload_image argument and writes the resulting file to disk without verifying the caller's privileges or restricting file types and destination paths. This design allows unrestricted upload of dangerous file types.
Attack Vector
The attack vector is network-based. An attacker crafts an HTTP request targeting user_auth_commit.php on an exposed RG-UAC device and supplies a malicious payload through the upload_image parameter. No user interaction or credentials are required. Public disclosure of exploit details means attackers can integrate this technique into automated scanners targeting Ruijie devices exposed to the internet or reachable within untrusted network segments.
Technical details are documented on VulDB CVE-2026-14736 and in the Feishu Documentation.
Detection Methods for CVE-2026-14736
Indicators of Compromise
- HTTP POST requests to user_auth_commit.php containing an upload_image parameter from unexpected source IP addresses.
- Newly created files with executable extensions (.php, .phtml, .jsp) in web-accessible directories on the RG-UAC appliance.
- Outbound connections initiated by the RG-UAC device to unfamiliar external hosts following upload activity.
Detection Strategies
- Inspect web server and reverse proxy logs for requests targeting user_auth_commit.php, especially those carrying multipart file uploads.
- Baseline the file system contents of the appliance and alert on additions or modifications to web-serving directories.
- Deploy network intrusion detection signatures that match crafted requests to the vulnerable endpoint.
Monitoring Recommendations
- Forward RG-UAC access, error, and audit logs to a centralized SIEM for correlation with network telemetry.
- Monitor administrative interfaces for anomalous authentication events and configuration changes following upload attempts.
- Track outbound traffic from network appliances to detect command-and-control activity that follows successful exploitation.
How to Mitigate CVE-2026-14736
Immediate Actions Required
- Restrict network access to the RG-UAC management interface using ACLs or firewall rules that allow only trusted administrative subnets.
- Audit the appliance file system for unexpected files in web directories and remove any unauthorized uploads.
- Rotate administrative credentials and API tokens if compromise is suspected.
Patch Information
At the time of publication, no vendor-provided patch reference is listed in the enriched CVE data. Administrators should consult Ruijie's official support channels for firmware updates addressing user_auth_commit.php and monitor advisories referenced on VulDB Vulnerability #376318.
Workarounds
- Block external access to the user_auth_commit.php endpoint at the perimeter firewall or web application gateway.
- Place the RG-UAC management plane on an isolated VLAN reachable only through a jump host or VPN.
- Disable or filter the upload_image parameter at an upstream reverse proxy if the affected function is not required for operations.
- Enable strict logging on the appliance and forward events to a centralized log repository for retention and analysis.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

