CVE-2026-11449: GL.iNet GL-MT3000 LuCI JSON-RPC rpc rpc_sys command injection

Published Jun 7, 2026
·
Updated

A security vulnerability has been detected in GL.iNet GL-MT3000 4.4.5. The impacted element is the function rpcsys of the file /cgi-bin/luci/rpc of the component LuCI JSON-RPC Interface. Such manipulation leads to command injection. The attack may be performed from remote. Upgrading to version 4.8.1 is sufficient to resolve this issue. Upgrading the affected component is advised. The vendor confirms: "The issue discovered by the vulnerability researcher on older firmware versions(4.4.5) has actually been fixed and mitigated in the new version. According to the latest firmware fixes, by default, firmware versions after 4.7.13 do not install LuCI, so this vulnerability cannot be exploited."

Affected Software

1 affected component
GL.iNet GL-MT3000=4.4.5, <4.8.1

Remediation

Recommended actions to resolve this vulnerability, in priority order.

  1. Upgrade

    Upgrade GL.iNet GL-MT3000 to a version that resolves this vulnerability.

    Fixed in 4.8.1
  2. Remove

    Remove LuCI from your environment.

    Uninstall or remove the LuCI (LuCI JSON-RPC Interface) component from affected devices (e.g., ensure /cgi-bin/luci/rpc is not present) if it is not required.

  3. Compensating control

    Use firmware versions newer than 4.7.13 (vendor notes firmware versions after 4.7.13 do not install LuCI by default), or otherwise ensure LuCI is not installed, to prevent exploitation.

  4. Operational

    Identify devices running vulnerable firmware version 4.4.5 and either upgrade them to 4.8.1 or remove/disable LuCI to mitigate the rpc_sys command injection.

Event History

Jun 7, 2026
CVE Published
via MITRE·02:15 AM
Data Sourced
via MITRE·02:15 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:16 AM
DescriptionSeverityWeakness
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-11449?

CVE-2026-11449 has a medium severity rating of 6.3.

2

How do I fix CVE-2026-11449?

To mitigate CVE-2026-11449, upgrade the GL.iNet GL-MT3000 to version 4.8 or later.

3

What type of vulnerability is CVE-2026-11449?

CVE-2026-11449 is a command injection vulnerability in the GL.iNet GL-MT3000.

4

Can CVE-2026-11449 be exploited remotely?

Yes, CVE-2026-11449 can be exploited remotely via the LuCI JSON-RPC interface.

5

What file is affected by CVE-2026-11449?

CVE-2026-11449 affects the /cgi-bin/luci/rpc file on the GL.iNet GL-MT3000.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203