CVE-2026-46368 Overview
CVE-2026-46368 is a command injection vulnerability in luci-app-https-dns-proxy through version 2025.12.29-5. The package is an optional LuCI web UI add-on for https-dns-proxy, distributed via the OpenWrt community packages feed. It is not installed by default. An authenticated user holding the luci.https-dns-proxy ACL permission can inject shell metacharacters through the name parameter of a ubus RPC call to luci.https-dns-proxy setInitAction. Successful exploitation results in arbitrary command execution as root on the underlying device. Core OpenWrt is not affected.
Critical Impact
Authenticated attackers with the luci.https-dns-proxy ACL permission can achieve arbitrary root command execution on OpenWrt devices running the vulnerable add-on.
Affected Products
- luci-app-https-dns-proxy through 2025.12.29-5
- OpenWrt community packages feed installations that opted in to the add-on
- LuCI web UI deployments exposing the luci.https-dns-proxy ubus interface
Discovery Timeline
- 2026-05-26 - CVE-2026-46368 published to NVD
- 2026-05-26 - Last updated in NVD database
Technical Details for CVE-2026-46368
Vulnerability Analysis
The vulnerability resides in the setInitAction function exposed through the ubus RPC interface of luci-app-https-dns-proxy. The handler accepts a name parameter that identifies the init service to act upon. The parameter value flows into a shell command without sanitization or argument separation. An authenticated LuCI user with the luci.https-dns-proxy ACL permission can supply shell metacharacters such as ;, |, &&, or backticks within name to break out of the intended command context. The injected payload executes in the context of the LuCI backend, which runs as root on OpenWrt. This grants the attacker full control of the device, including network configuration, firewall rules, and persistent storage. The flaw is classified as [CWE-77] Improper Neutralization of Special Elements used in a Command.
Root Cause
The setInitAction implementation concatenates user-controlled input into a shell invocation rather than passing arguments to a constrained executor. No allowlist validates the name parameter against the set of legitimate init service identifiers, and no escaping or quoting prevents metacharacter interpretation.
Attack Vector
Exploitation requires network reach to the LuCI interface and valid credentials with the luci.https-dns-proxy ACL. The attacker issues a ubus RPC call to luci.https-dns-proxy setInitAction with a crafted name value containing shell metacharacters. The LuCI backend evaluates the resulting command line and executes the injected payload as root. Technical details and a proof of concept are available at the Vulncheck Security Advisory and Exploit-DB #52521.
Detection Methods for CVE-2026-46368
Indicators of Compromise
- ubus RPC calls to luci.https-dns-proxy with setInitAction methods containing shell metacharacters (;, |, &, $(), backticks) in the name parameter
- Unexpected child processes spawned by the LuCI/uhttpd process tree on OpenWrt devices
- New cron entries, SSH keys, or firewall rules appearing after access to the LuCI HTTPS DNS Proxy page
- Outbound connections from the router to attacker-controlled infrastructure following authenticated LuCI sessions
Detection Strategies
- Inspect uhttpd and rpcd logs for ubus calls to luci.https-dns-proxy setInitAction and flag any name value outside the known init script set
- Monitor process execution on OpenWrt devices for shells (sh, ash) spawned as children of rpcd or LuCI handlers
- Correlate authenticated LuCI session activity with subsequent configuration changes on the device
Monitoring Recommendations
- Forward OpenWrt system logs and rpcd audit data to a centralized log platform for analysis
- Alert on any modification to /etc/config, /etc/crontabs, or /etc/dropbear/authorized_keys originating from LuCI sessions
- Track installation status of the luci-app-https-dns-proxy package across the fleet to identify exposed devices
How to Mitigate CVE-2026-46368
Immediate Actions Required
- Uninstall luci-app-https-dns-proxy on devices where the LuCI add-on is not required, retaining only the underlying https-dns-proxy package if needed
- Restrict LuCI access to trusted management networks and disable WAN exposure of the web UI
- Revoke the luci.https-dns-proxy ACL permission from any account that does not require it and rotate credentials for accounts that held it
- Audit recent ubus activity and device configuration for signs of exploitation before applying updates
Patch Information
No fixed version is listed in the NVD record at the time of publication. Track upstream commits and release notes at the GitHub PoC Repository and apply the patched package once published through the OpenWrt community packages feed. Until a fixed release is available, removal of the add-on is the most reliable mitigation.
Workarounds
- Remove the package with opkg remove luci-app-https-dns-proxy to eliminate the vulnerable handler while preserving https-dns-proxy functionality
- Block external access to the LuCI interface using firewall rules that limit management traffic to a dedicated VLAN or VPN
- Enforce strong authentication and unique credentials on every LuCI account to reduce the population of users who could abuse the ACL
# Remove the vulnerable add-on while keeping the core proxy package
opkg update
opkg remove luci-app-https-dns-proxy
# Restrict LuCI (uhttpd) to the LAN interface only
uci set uhttpd.main.listen_http='192.168.1.1:80'
uci set uhttpd.main.listen_https='192.168.1.1:443'
uci commit uhttpd
/etc/init.d/uhttpd restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
