CVE-2026-58000

HIGH 8.8

luci-proto-openvpn - Command Injection via cl_meta Parameter in generateKey

CVSS Score

8.8

EPSS Score

0.0%

EPSS Percentile

0th

luci-proto-openvpn through 0.11.1, fixed in commit e4ff45e, contains a command injection vulnerability in the generateKey ubus method where the cl_meta parameter is interpolated into a shell command without proper escaping or quoting. An authenticated LuCI user with OpenVPN protocol configuration access can inject arbitrary shell metacharacters into cl_meta to execute commands as root via the popen function.

CWE	CWE-78
Vendor	openwrt
Product	luci
Published	Jun 29, 2026
Last Updated	Jun 29, 2026

Stay Ahead of the Next One

Get instant alerts for openwrt luci

Be the first to know when new high vulnerabilities affecting openwrt luci are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

openwrt / luci

0 ≤ 0.11.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openwrt/luci/security/advisories/GHSA-pm9w-522m-8rrh github.com: https://github.com/openwrt/luci/commit/e4ff45ecbc6ad212951815c8c99b2749fbd7de6b vulncheck.com: https://www.vulncheck.com/advisories/luci-proto-openvpn-command-injection-via-cl-meta-parameter-in-generatekey

Credits

George Chen