CVE-2026-62184
OpenWrt · LuCI
The luci-app-banip component in OpenWrt is vulnerable to log injection, where an attacker can influence log parsing to inject arbitrary IP addresses.
Executive summary
A log parsing vulnerability in the OpenWrt luci-app-banip plugin allows unauthenticated attackers to manipulate IP blacklists, potentially causing a denial-of-service or security bypass.
Vulnerability
The application utilizes an awk-based parser that fails to properly sanitize or validate log fields (CWE-116). An unauthenticated attacker can inject arbitrary IP addresses via controlled fields like usernames, which the parser then incorrectly extracts and processes.
Business impact
By injecting arbitrary IP addresses into the ban list, an attacker can cause legitimate traffic to be blocked, resulting in a denial-of-service (DoS) condition. With a CVSS score of 7.5, this vulnerability is significant for network infrastructure integrity, potentially allowing attackers to disrupt network security enforcement mechanisms.
Remediation
Immediate Action: Update the luci-app-banip package to the version containing the fix for commit d9bbc372e29618a8807b693a1ccf6d0e42cd196c.
Proactive Monitoring: Monitor firewall logs and banip activity for unexpected or suspicious IP addresses appearing in the blocklist that do not correlate with actual malicious behavior.
Compensating Controls: If immediate patching is not feasible, consider disabling the automated log-parsing features of the banip application to prevent unauthorized manipulation.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
The integrity of network security controls is paramount. Organizations utilizing the OpenWrt luci-app-banip plugin should apply the provided fix immediately to ensure that log parsing remains secure and resistant to malicious injection.