๐Ÿ” CVE Alert

CVE-2026-62947

MEDIUM 4.9

OpenWrt: ACL bypass and arbitrary root file read via cgi-io cgi-download

CVSS Score
4.9
EPSS Score
0.0%
EPSS Percentile
0th

OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, the cgi-download handler in cgi-io authorizes the requested path against the caller's ubus session file ACL before canonicalization, and rpcd session.c uses fnmatch() without FNM_PATHNAME, allowing traversal such as an allowed wildcard prefix followed by ../ to read root-readable files including /etc/shadow. This vulnerability is fixed in 25.12.5.

CWE CWE-22
Vendor openwrt
Product openwrt
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for openwrt openwrt

Be the first to know when new medium vulnerabilities affecting openwrt openwrt are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

openwrt / openwrt
< 25.12.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/openwrt/openwrt/security/advisories/GHSA-jw5r-xhf5-2xcq github.com: https://github.com/openwrt/cgi-io/pull/4 github.com: https://github.com/openwrt/cgi-io/commit/72990b7489872112df31c94032637c907760bae4 github.com: https://github.com/openwrt/openwrt/releases/tag/v25.12.5