Privilege Escalation Vulnerability in luci-app-travelmate by OpenWrt
CVE-2026-58652

7.7HIGH

Key Information:

Vendor

Openwrt

Vendor
CVE Published:
2 July 2026

What is CVE-2026-58652?

The luci-app-travelmate and travelmate package features a vulnerability that enables privilege escalation, allowing unauthorized users to execute arbitrary commands as root. Although the LuCI interface restricts access to specific login scripts, this security measure only exists on the front end. The backend service retains the ability to execute malicious scripts defined in UCI configuration, particularly through the 'script' and 'script_args' parameters, leading to potential system compromise. This flaw was found in version 2.4.5-r3 and persists in 2.4.6-1, with no known patched versions available.

Affected Version(s)

luci-app-travelmate 2.4.5-r3

travelmate 2.4.5-r3

travelmate 2.4.5-r3

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ZwCrazyThursday
.