Back to overview

CVE-2026-58652

HIGH Exploitation: PoC
7.5
CVSS 3.1
Description
luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.

Metadata

CVE ID
CVE-2026-58652
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-01 21:54 UTC
Published
2026-07-02 12:28 UTC
Last updated
2026-07-02 13:16 UTC
Primary CWE
CWE-78
Improper Neutralization of Special Elements used in an OS Co…
Vendor / Product
openwrt / luci-app-travelmate
Sources
cve.org  ·  NVD

Severity & Metrics

7.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
no
Tech. Impact
total
Affected products (2)
VendorProductPlatformVersions
openwrt luci-app-travelmate 2.4.5-r3
openwrt travelmate 2.4.5-r3, 2.4.6-1
Weakness (CWE)
CWESourceDescription
CWE-78 cna Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSS scores (2)
ScoreSeverityVersionSourceVector
7.7 HIGH 4.0 cna CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
7.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References (7)
Back to overview