PatchSiren cyber security CVE debrief

CVE-2026-11450 GL.iNet CVE debrief

A command injection vulnerability was detected in GL.iNet GL-MT3000 version 4.4.5. This vulnerability affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. An attacker can manipulate the argument dev_name to inject commands, allowing for a remote attack. The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. Upgrading to version 4.7 mitigates this issue, as it enables method-level validation at the HTTP /rpc layer, removing nas-web.eject_disk from the whitelist of allowed methods.

Vendor: GL.iNet
Product: GL-MT3000
CVSS: MEDIUM 6.9
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-07
Original CVE updated: 2026-06-08
Advisory published: 2026-06-07
Advisory updated: 2026-06-08

Who should care

Administrators and users of GL.iNet GL-MT3000 version 4.4.5 should be aware of this vulnerability and take action to upgrade to version 4.7 or later to prevent potential remote attacks.

Technical summary

The vulnerability is caused by improper path normalization in the dlopen function of the /usr/lib/oui-httpd/rpc/ library. An attacker can exploit this by manipulating the dev_name argument to inject commands. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

MEDIUM

Recommended defensive actions

Upgrade GL.iNet GL-MT3000 to version 4.7 or later.
Implement method-level validation at the HTTP /rpc layer to restrict allowed methods.

Evidence notes

The vendor confirms that from version 4.7 onward, method-level validation has been enabled at the HTTP /rpc layer, and nas-web.eject_disk is no longer in the whitelist of allowed methods, preventing the remote exploit chain.

Official resources

CVE-2026-11450 was published on 2026-06-07T03:16:27.247Z and modified on 2026-06-08T16:16:36.420Z.