CVE-2026-59260
OpenWrt · LuCI
A privilege management vulnerability in OpenWrt's luci-app-samba4 allows authenticated delegated users to execute the Samba daemon with arbitrary arguments, leading to command execution.
Executive summary
An improper privilege management vulnerability in OpenWrt's luci-app-samba4 allows an authenticated user to escalate privileges and achieve arbitrary command execution as root.
Vulnerability
This is a privilege management flaw (CWE-269) where the luci-app-samba4 read ACL incorrectly grants execution permissions for /usr/sbin/smbd. This allows authenticated users to pass malicious global options, such as the message command, to a root-level smbd process.
Business impact
With a CVSS score of 8.8, this vulnerability represents a critical risk of full system compromise. An authenticated attacker can gain root-level code execution, effectively bypassing all security controls on the affected device, which may lead to total loss of system confidentiality, integrity, and availability.
Remediation
Immediate Action: Monitor the official OpenWrt security advisory at https://github.com/openwrt/luci/security/advisories/GHSA-vx64-mmp7-h36c for patch availability and apply updates as soon as they are released.
Proactive Monitoring: Monitor system logs for unauthorized attempts to invoke Samba-related commands or unusual process spawning from the web interface service.
Compensating Controls: Restrict administrative access to the LuCI interface and disable the Samba4 application if it is not strictly necessary for network functionality.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability presents a high risk of total system takeover. Organizations should audit their use of the luci-app-samba4 package and ensure that all administrative interfaces are protected by strong authentication, while awaiting the vendor's fix.