CVE-2026-46368

Vulnerability

A command injection vulnerability exists in the setInitAction function of luci-app-https-dns-proxy through version 2025.12.29-5. This optional LuCI web UI add-on for the https-dns-proxy package is distributed via the OpenWrt community packages feed and is not installed by default. The flaw allows an authenticated user holding the luci.https-dns-proxy ACL permission to inject shell metacharacters through the name parameter of a ubus RPC call to luci.https-dns-proxy setInitAction. Core OpenWrt installations are unaffected; only systems with the luci-app-https-dns-proxy package installed are vulnerable [1][3].

Exploitation

An attacker must have a valid user account on the OpenWrt device with the luci.https-dns-proxy ACL permission. No additional user interaction is required beyond authentication. The attacker sends a crafted ubus RPC call to the setInitAction method, embedding shell metacharacters (e.g., ;, |, ` `) in the name` parameter. This payload is then executed by the underlying shell with root privileges. The exploit can be performed remotely if the LuCI web interface is exposed over the network [1][3].

Impact

Successful exploitation results in arbitrary command execution as the root user, leading to full compromise of the OpenWrt device. The attacker can install persistent backdoors, exfiltrate data, or pivot to other network hosts. The confidentiality, integrity, and availability of the device are completely undermined [1][3].

Mitigation

As of the publication date, no patched version of luci-app-https-dns-proxy has been released. The vulnerability affects all versions through 2025.12.29-5. Users are advised to remove the luci-app-https-dns-proxy package if not required, or restrict the luci.https-dns-proxy ACL permission to trusted administrators only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][3].