Directory Traversal Vulnerability in OpenWrt CGI-IO Component
CVE-2026-62947
4.9MEDIUM
What is CVE-2026-62947?
A directory traversal vulnerability exists in OpenWrt's cgi-io component prior to version 25.12.5. This flaw permits unauthorized access to root-readable files, including sensitive files like /etc/shadow, by misusing a wildcard prefix followed by a '../' sequence. The vulnerability arises from the inadequately implemented authorization checks within the cgi-download handler, which leads to path traversal issues before the canonicalization of requested paths. Administrators are advised to upgrade to version 25.12.5 to mitigate this security risk.
Affected Version(s)
openwrt < 25.12.5
