Log Parsing Vulnerability in luci-app-banip by OpenWrt
CVE-2026-62184

8.7HIGH

Key Information:

Vendor

Openwrt

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-62184?

The luci-app-banip contains a log parsing vulnerability that puts users at risk through improper handling of log line data. Specifically, the awk-based parser is designed to extract the first IPv4 address found within a log entry, regardless of its actual field position. This flaw opens the door for attackers to inject arbitrary IP addresses into the system via fields that are typically controlled by the user, such as usernames. Consequently, an unauthenticated remote attacker can exploit this vulnerability to manipulate the banIP system, causing it to erroneously block the wrong target IP address, while leaving the real attacker unimpeded. This misconfiguration undermines the efficacy of the security measures intended to protect network integrity.

Affected Version(s)

luci 0 <= 0.11.1

luci d9bbc372e29618a8807b693a1ccf6d0e42cd196c

References

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

lujie (@lujiefsi)
.