CVE-2026-7036

Vulnerability

Analysis

The Tenda i9 router firmware V1.0.0.5(2204) contains a critical whitelist bypass vulnerability in the HTTP handler's R7WebsSecurityHandler function. This function is designed to authenticate all incoming HTTP requests by checking if the URL begins with whitelisted prefixes (such as /public/ or /lang/) using strncmp. However, the code does not perform any path canonicalization after the prefix check. [1]

Exploitation

An unauthenticated remote attacker can send a crafted HTTP GET request that starts with a whitelisted prefix (e.g., /public/) followed by directory traversal sequences (../) to escape the restricted directory and target sensitive backend files such as system_upgrade.asp. The PoC demonstrates that a request like GET /public/../system_upgrade.asp HTTP/1.1 bypasses the authentication check entirely and accesses administrative functions . [1]

Impact

Successful exploitation lets an unauthenticated attacker access administrative web administration panels and other restricted resources without credentials . This could lead to full device compromise, including changing settings, exfiltrating data, or using the router as a pivot point for further network attacks. [1]

Mitigation

As of the publication date (2026-04-26), no official patch has been announced by Tenda. The vendor's website [2] may provide firmware updates in the future, but currently the vulnerability remains unpatched. A proof-of-concept exploit is publicly available, increasing the risk of active exploitation. Users should consider restricting access to the router management interface or upgrading to a newer model if possible.