CVE Catalog

CVE-2026-58652

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.48%

38th percentile — higher than 38% of all known CVEs

Summary

A privilege escalation flaw in luci-app-travelmate and the travelmate package allows a session with UCI write ACL to set arbitrary script and arguments, executed as root by the travelmate service. The UI restriction to /etc/travelmate/*.login is only frontend.

Risk Assessment

An attacker with delegated write permissions can gain full root access to the system, executing arbitrary commands. This leads to complete device compromise and potential network security breach.

Recommendation

Immediately restrict UCI write access for luci-app-travelmate to trusted administrators only. Until a patch is available, consider disabling the travelmate service or applying additional firewall/blocking rules.

Original NVD description (English source)

luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS