Privilege Escalation Vulnerability in OpenWrt Operating System
CVE-2026-30874

1.8LOW

Key Information:

Vendor: Openwrt
Status: Openwrt
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-30874?

A security vulnerability identified in the OpenWrt operating system enables attackers to bypass filtering of sensitive environment variables through a flaw in the hotplug_call function. By exploiting this vulnerability in versions prior to 24.10.6, an attacker can inject an arbitrary PATH variable, leading to the execution of malicious binaries with elevated privileges. The design intention was to block sensitive variables, but an incorrect comparison method failed to prevent access, thereby allowing unauthorized control over the execution of scripts intended for hotplug operations.

Affected Version(s)

openwrt < 24.10.6

References

https://github.com/openwrt/openwrt/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/openwrt/procd/commit/e08cdc8562f55b9ac...

x_refsource_MISC

CVSS V4

Score:

1.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Mar 6, 2026

CVE-2026-30874 Data

JSON

Openwrt

What is CVE-2026-30874?

Affected Version(s)

References

CVSS V4

Timeline