Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-14736

CVE-2026-14736: Ruijie RG-UAC Auth Bypass Vulnerability

CVE-2026-14736 is an authentication bypass flaw in Ruijie RG-UAC that enables unrestricted file upload via user_auth_commit.php. This article covers the technical details, affected versions, and mitigation strategies.

Published:

CVE-2026-14736 Overview

CVE-2026-14736 is an unrestricted file upload vulnerability affecting Ruijie RG-UAC devices up to version 1.0-R1.8.2.p5. The flaw resides in an unknown function within the user_auth_commit.php file. Attackers can manipulate the upload_image argument to bypass upload restrictions and place arbitrary files on the appliance. The issue is exploitable remotely without authentication or user interaction. Public exploit details have been disclosed, increasing the likelihood of opportunistic attacks against exposed devices. The weakness is categorized under [CWE-284] (Improper Access Control).

Critical Impact

Remote, unauthenticated attackers can upload arbitrary files to user_auth_commit.php, potentially enabling web shell deployment and further compromise of the network appliance.

Affected Products

  • Ruijie RG-UAC (Unified Access Controller)
  • Firmware versions up to and including 1.0-R1.8.2.p5
  • Deployments exposing the user_auth_commit.php endpoint

Discovery Timeline

  • 2026-07-05 - CVE-2026-14736 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2026-14736

Vulnerability Analysis

The vulnerability exists in the user_auth_commit.php handler on Ruijie RG-UAC appliances. The endpoint processes an upload_image parameter without enforcing proper access control or file type validation. An attacker sends a crafted HTTP request that manipulates the upload_image argument to write attacker-controlled content to the file system.

Because the endpoint is reachable over the network and does not require prior authentication, exploitation can be scripted and repeated. Successful upload of executable content, such as a PHP web shell, would allow adversaries to run commands within the web server context on the device.

Root Cause

The underlying weakness is improper access control [CWE-284] on the file upload routine. The application accepts the upload_image argument and writes the resulting file to disk without verifying the caller's privileges or restricting file types and destination paths. This design allows unrestricted upload of dangerous file types.

Attack Vector

The attack vector is network-based. An attacker crafts an HTTP request targeting user_auth_commit.php on an exposed RG-UAC device and supplies a malicious payload through the upload_image parameter. No user interaction or credentials are required. Public disclosure of exploit details means attackers can integrate this technique into automated scanners targeting Ruijie devices exposed to the internet or reachable within untrusted network segments.

Technical details are documented on VulDB CVE-2026-14736 and in the Feishu Documentation.

Detection Methods for CVE-2026-14736

Indicators of Compromise

  • HTTP POST requests to user_auth_commit.php containing an upload_image parameter from unexpected source IP addresses.
  • Newly created files with executable extensions (.php, .phtml, .jsp) in web-accessible directories on the RG-UAC appliance.
  • Outbound connections initiated by the RG-UAC device to unfamiliar external hosts following upload activity.

Detection Strategies

  • Inspect web server and reverse proxy logs for requests targeting user_auth_commit.php, especially those carrying multipart file uploads.
  • Baseline the file system contents of the appliance and alert on additions or modifications to web-serving directories.
  • Deploy network intrusion detection signatures that match crafted requests to the vulnerable endpoint.

Monitoring Recommendations

  • Forward RG-UAC access, error, and audit logs to a centralized SIEM for correlation with network telemetry.
  • Monitor administrative interfaces for anomalous authentication events and configuration changes following upload attempts.
  • Track outbound traffic from network appliances to detect command-and-control activity that follows successful exploitation.

How to Mitigate CVE-2026-14736

Immediate Actions Required

  • Restrict network access to the RG-UAC management interface using ACLs or firewall rules that allow only trusted administrative subnets.
  • Audit the appliance file system for unexpected files in web directories and remove any unauthorized uploads.
  • Rotate administrative credentials and API tokens if compromise is suspected.

Patch Information

At the time of publication, no vendor-provided patch reference is listed in the enriched CVE data. Administrators should consult Ruijie's official support channels for firmware updates addressing user_auth_commit.php and monitor advisories referenced on VulDB Vulnerability #376318.

Workarounds

  • Block external access to the user_auth_commit.php endpoint at the perimeter firewall or web application gateway.
  • Place the RG-UAC management plane on an isolated VLAN reachable only through a jump host or VPN.
  • Disable or filter the upload_image parameter at an upstream reverse proxy if the affected function is not required for operations.
  • Enable strict logging on the appliance and forward events to a centralized log repository for retention and analysis.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.