CVE-2026-11448

Vulnerability

A command injection vulnerability exists in the Minidlna service of GL.iNet GL-MT3000 devices running firmware up to version 4.4.5. The vulnerability resides in the /rpc endpoint, specifically within the realpath function of the minidlna component. This issue arises because the rpcd access control list grants broad uci.set permissions to the luci-base scope without per-package restrictions, allowing an authenticated administrator to write arbitrary values to minidlna.config.db_dir [1].

Exploitation

An authenticated attacker with administrative privileges can exploit this vulnerability. The attacker first establishes a session with the luci-base scope via a POST request to /rpc. Subsequently, they use uci.set to write a malicious value containing shell metacharacters to the minidlna configuration's db_dir parameter. After applying the UCI changes and restarting the minidlna service, the vulnerable realpath function, when processing the unsanitized db_dir value, leads to command execution as root when the minidlnad process reads the configuration [1].

Impact

Successful exploitation of this vulnerability allows an authenticated attacker to achieve arbitrary command execution with root privileges on the affected GL.iNet GL-MT3000 device. This level of access enables the attacker to compromise the confidentiality, integrity, and availability of the device and potentially the network it is connected to [1].

Mitigation

GL.iNet has released firmware version 4.7, which addresses this vulnerability by implementing global protection to intercept malicious injection. Users are strongly recommended to upgrade their GL-MT3000 devices to version 4.7 or later. The vendor confirms that starting from version 4.7, the SDK includes necessary protections. The fixed version was released on or before 2023-08-11 [1].