CVE-2026-11450

Vulnerability

A command injection vulnerability exists in the glc CGI binary of GL.iNet GL-MT3000 devices running firmware version 4.4.5. The vulnerability resides in the path normalization handler, specifically within the dlopen function of the /usr/lib/oui-httpd/rpc/ library. By manipulating the dev_name argument passed to the eject_disk_do1 function, an attacker can achieve command injection [1].

Exploitation

An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted POST request to the /cgi-bin/glc endpoint. The request body should be in JSON format, specifying the nas-web object and the eject_disk_do1 method. The dev_name argument within the JSON payload must be carefully constructed to include padding and a shell command, such as /null$(cmd>/tmp/out), which bypasses initial validation and leads to command execution via /bin/sh -c [1].

Impact

Successful exploitation of this vulnerability allows an unauthenticated remote attacker to execute arbitrary commands on the affected GL.iNet GL-MT3000 device. This can lead to a full compromise of the device with the privileges of the running web server process [1].

Mitigation

GL.iNet has addressed this vulnerability in firmware version 4.7 and later by enabling method-level validation at the HTTP /rpc layer, removing nas-web.eject_disk from the allowed methods whitelist. Users are advised to upgrade to version 4.7 or a later version to mitigate this issue. The vendor confirmed that directly calling eject_disk through the default /rpc endpoint now returns Invalid params, preventing the exploit chain [1].