CVE-2026-11450: GL.iNet GL-MT3000 Path Normalization dlopen command injection

Published Jun 7, 2026
·
Updated

A vulnerability was detected in GL.iNet GL-MT3000 4.4.5. This affects the function dlopen in the library /usr/lib/oui-httpd/rpc/ of the component Path Normalization Handler. Performing a manipulation of the argument devname results in command injection. It is possible to initiate the attack remotely. Upgrading to version 4.7 mitigates this issue. It is advisable to upgrade the affected component. The vendor confirms: " From version 4.7 onward, we have enabled method‑level validation at the HTTP /rpc layer. nas‑web.ejectdisk is no longer in the whitelist of allowed methods. Consequently, directly calling ejectdisk through the default /rpc endpoint returns Invalid params, preventing entry into subsequent dangerous functions and blocking the remote exploit chain described in the report."

Affected Software

1 affected component
GL.iNet GL-MT3000<4.7

Remediation

Recommended actions to resolve this vulnerability, in priority order.

  1. Upgrade

    Upgrade GL.iNet GL-MT3000 Path Normalization Handler to a version that resolves this vulnerability.

    Fixed in 4.7
  2. Configuration

    Enable method-level validation on the HTTP /rpc layer and remove nas-web.eject_disk from the allowed-methods whitelist so that direct calls to eject_disk via /rpc return 'Invalid params' and cannot proceed into dangerous functions.

    HTTP /rpc layer (method-level validation) nas-web.eject_disk whitelist entry = removed

Event History

Jun 7, 2026
CVE Published
via MITRE·02:30 AM
Data Sourced
via MITRE·02:30 AM
DescriptionSeverityWeakness
Data Sourced
via NVD·03:16 AM
DescriptionSeverityWeakness
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-11450?

The severity of CVE-2026-11450 is high, rated at 7.3.

2

What is the nature of the vulnerability in CVE-2026-11450?

CVE-2026-11450 is a command injection vulnerability in the dlopen function of the GL.iNet GL-MT3000 device.

3

How can CVE-2026-11450 be exploited?

CVE-2026-11450 can be exploited by manipulating the argument dev_name, allowing an attacker to execute arbitrary commands remotely.

4

What are the potential impacts of CVE-2026-11450?

The potential impacts of CVE-2026-11450 include unauthorized remote command execution and possible control over the affected device.

5

How do I fix CVE-2026-11450?

To fix CVE-2026-11450, update to the latest version of the GL.iNet GL-MT3000 firmware that addresses this vulnerability.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203