CVE-2026-58652

HIGH

luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter

Title source: cna
STIX 2.1

Description

luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.

Scores

CVSS v3 7.5
EPSS 0.0048
EPSS Percentile 38.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (3)
openwrt/luci-app-travelmate 2.4.5-r3
openwrt/travelmate 2.4.5-r3
openwrt/travelmate 2.4.6-1
Published Jul 02, 2026
Tracked Since Jul 02, 2026