Home

Description

luci-app-banip contains a log parsing vulnerability where the awk-based parser extracts the first IPv4 address from log lines regardless of field position, allowing attackers to inject arbitrary IPs via attacker-controlled fields like usernames. An unauthenticated remote attacker can inject an IP address into the login username field, causing banIP to block the wrong target while the real attacker remains unblocked.

PUBLISHED Reserved 2026-07-13 | Published 2026-07-13 | Updated 2026-07-14 | Assigner VulnCheck




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

Improper Encoding or Escaping of Output

Product status

Default status
unaffected

Any version
affected

d9bbc372e29618a8807b693a1ccf6d0e42cd196c (git)
unaffected

Credits

lujie (@lujiefsi) reporter

References

github.com/...t/luci/security/advisories/GHSA-r6hx-4f83-vp8m (GitHub Security Advisory (GHSA-r6hx-4f83-vp8m)) vendor-advisory

github.com/...ommit/d9bbc372e29618a8807b693a1ccf6d0e42cd196c (Patch Commit) patch

www.vulncheck.com/...-banip-log-monitor-ip-extraction-bypass (VulnCheck Advisory: luci-app-banip Log Monitor IP Extraction Bypass) third-party-advisory

cve.org (CVE-2026-62184)

nvd.nist.gov (CVE-2026-62184)

Download JSON