CVE-2026-26792 Overview
CVE-2026-26792 is a command injection vulnerability affecting GL-iNet GL-AR300M16 routers running firmware version 4.3.11. The flaw resides in the set_upgrade function, which fails to sanitize multiple user-supplied parameters before passing them to a system shell. Unauthenticated attackers can send crafted HTTP requests containing shell metacharacters in parameters such as modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type. Successful exploitation results in arbitrary command execution on the underlying operating system with the privileges of the web service. The vulnerability is tracked under CWE-77 (Improper Neutralization of Special Elements used in a Command).
Critical Impact
Network-adjacent attackers can execute arbitrary operating system commands on affected GL-AR300M16 routers without authentication, leading to full device compromise.
Affected Products
- GL-iNet GL-AR300M16 firmware version 4.3.11
- GL-iNet GL-AR300M16 hardware
- Deployments exposing the device management interface to untrusted networks
Discovery Timeline
- 2026-03-12 - CVE-2026-26792 published to NVD
- 2026-03-16 - Last updated in NVD database
Technical Details for CVE-2026-26792
Vulnerability Analysis
The GL-AR300M16 router exposes an upgrade handler implemented as the set_upgrade function in its web management interface. The handler accepts seven user-controlled parameters: modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, and upgrade_type. Each of these parameters is concatenated into shell command strings without sufficient neutralization of metacharacters.
An attacker who can reach the router's management interface can inject additional shell tokens such as backticks, semicolons, or command substitution sequences. The injected payload executes in the context of the upgrade routine, which typically runs with elevated privileges on embedded OpenWrt-based devices. Because each of the seven parameters is independently vulnerable, defenders cannot rely on filtering a single field.
Root Cause
The root cause is improper neutralization of special elements used in operating system commands, classified as CWE-77. The set_upgrade function constructs shell invocations by string concatenation rather than passing arguments through a safe execution API. No allowlist validation, escaping routine, or parameterized execution mechanism is applied to the inbound request fields.
Attack Vector
Exploitation requires only network access to the device management endpoint. No authentication or user interaction is required. The attacker submits an HTTP request to the upgrade endpoint with one or more of the vulnerable parameters containing a shell command injection payload. The injected commands execute on the router and can be used to install persistent backdoors, pivot into the connected network, or weaponize the device for botnet activity. Refer to the public GitHub PoC Repository for parameter-level details.
Detection Methods for CVE-2026-26792
Indicators of Compromise
- HTTP requests targeting the set_upgrade endpoint that contain shell metacharacters such as ;, |, &&, $(), or backticks in the modem_url, target_version, current_version, firmware_upload, hash_type, hash_value, or upgrade_type parameters.
- Unexpected outbound connections originating from the router to attacker-controlled hosts following upgrade-related requests.
- New or modified files in writable filesystem locations on the device, including added cron entries or startup scripts.
Detection Strategies
- Inspect web access logs on the router or upstream reverse proxies for POST or GET requests to upgrade endpoints containing command injection patterns.
- Deploy network intrusion detection signatures that flag shell metacharacters within parameters destined for the GL-iNet management interface.
- Compare running firmware checksums and configuration baselines against known-good images to identify tampering.
Monitoring Recommendations
- Monitor DNS and outbound flow data from router management VLANs for anomalous beaconing patterns.
- Alert on authentication failures and configuration changes on GL-iNet devices using syslog forwarding to a centralized SIEM.
- Track firmware version inventory across managed sites to identify devices still running version 4.3.11.
How to Mitigate CVE-2026-26792
Immediate Actions Required
- Restrict access to the router management interface so that it is reachable only from trusted administrative networks or VPN segments.
- Disable WAN-side administration on all GL-AR300M16 devices until a vendor patch is applied.
- Rotate administrative credentials and any pre-shared keys stored on the device in case of suspected compromise.
Patch Information
At the time of publication, no vendor advisory or fixed firmware version is listed in the NVD entry for CVE-2026-26792. Administrators should monitor the GL-iNet download portal for an updated release that supersedes firmware 4.3.11 and apply it as soon as it becomes available.
Workarounds
- Block external access to the device HTTP and HTTPS management ports using upstream firewall rules.
- Place affected routers behind a network segment that requires authenticated VPN access for administration.
- Remove the GL-AR300M16 from production roles and replace it with a patched device if the unit cannot be isolated.
# Example: restrict GL-iNet management interface to a trusted admin subnet
# Run from an upstream firewall (commands shown for iptables)
iptables -A FORWARD -s 10.10.10.0/24 -d <router-ip> -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -s 10.10.10.0/24 -d <router-ip> -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d <router-ip> -p tcp --dport 80 -j DROP
iptables -A FORWARD -d <router-ip> -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
