CVE-2026-62947 in OpenWrtinfo

Summary

by MITRE • 07/15/2026

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, the cgi-download handler in cgi-io authorizes the requested path against the caller's ubus session file ACL before canonicalization, and rpcd session.c uses fnmatch() without FNM_PATHNAME, allowing traversal such as an allowed wildcard prefix followed by ../ to read root-readable files including /etc/shadow. This vulnerability is fixed in 25.12.5.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability described affects OpenWrt versions prior to 25.12.5 and involves a critical path traversal flaw within the cgi-io component that handles file downloads. This issue stems from improper authorization logic that occurs before canonicalization of file paths, creating an exploitable condition where attackers can bypass access controls through carefully crafted requests. The vulnerability specifically targets the interaction between the cgi-download handler and rpcd session management, where the system fails to properly validate file paths against user permissions.

The technical flaw manifests in how the ubus session file ACL is checked before path canonicalization occurs, allowing malicious actors to manipulate file access through directory traversal sequences. The rpcd session.c component utilizes fnmatch() function without the FNM_PATHNAME flag, which permits wildcard matching to span across directory boundaries. This configuration enables attackers with limited privileges to construct requests using patterns like "allowed_prefix/../../etc/shadow" that can successfully traverse the filesystem and access sensitive files readable by the root user. The vulnerability essentially allows unauthorized file reading through a combination of weak ACL validation and improper path normalization.

The operational impact of this vulnerability is severe as it enables attackers to read critical system files including /etc/shadow, which contains password hashes for all system users. This provides potential attackers with credentials that could lead to full system compromise, privilege escalation, and unauthorized access to sensitive data. The vulnerability affects embedded devices running affected OpenWrt versions, making it particularly concerning for network infrastructure devices, routers, and IoT equipment that rely on proper file access controls. The exploitation requires only knowledge of a valid wildcard prefix pattern, making the attack surface relatively broad and accessible.

This vulnerability aligns with CWE-22 (Path Traversal) and represents a classic case of improper input validation combined with weak access control mechanisms. The flaw demonstrates poor security design principles where authorization checks occur before proper path canonicalization, violating the principle of least privilege and secure coding practices. From an ATT&CK perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as it can be leveraged to gain access to system credentials and potentially escalate privileges. The fix implemented in version 25.12.5 addresses the core issue by ensuring proper path canonicalization before authorization checks and by correctly configuring fnmatch() with appropriate flags to prevent directory traversal. Organizations should immediately upgrade affected systems to mitigate this risk, as the vulnerability could be exploited by remote attackers without requiring authentication or specialized tools beyond knowledge of valid access patterns.

The remediation involves implementing proper path validation that occurs after canonicalization rather than before, ensuring that all file paths are normalized and validated against user permissions consistently. Additionally, the fnmatch() function calls must be configured with appropriate flags to prevent wildcard matching across directory boundaries, preventing attackers from exploiting pattern matching functions for unauthorized access. System administrators should also review and tighten ubus session file ACL configurations to minimize the potential impact of such vulnerabilities in future deployments.

Responsible

GitHub M

Reservation

07/15/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!