Privilege Escalation Vulnerability in OpenWrt Operating System
CVE-2026-30874

1.8LOW

Key Information:

Vendor: Openwrt
Status: Openwrt
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-30874?

A security vulnerability identified in the OpenWrt operating system enables attackers to bypass filtering of sensitive environment variables through a flaw in the hotplug_call function. By exploiting this vulnerability in versions prior to 24.10.6, an attacker can inject an arbitrary PATH variable, leading to the execution of malicious binaries with elevated privileges. The design intention was to block sensitive variables, but an incorrect comparison method failed to prevent access, thereby allowing unauthorized control over the execution of scripts intended for hotplug operations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

openwrt < 24.10.6

References

https://github.com/openwrt/openwrt/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac...

x_refsource_MISC

CVSS V4

Score:

1.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Mar 6, 2026

JSON

Openwrt