Authenticated settings abuse enables server-side code execution in LibreNMS
TL;DR — LibreNMS admins can pivot a built-in “run network tools” feature into host-level code execution by changing configured tool paths and invoking the net command endpoint.
What happened
LibreNMS is an open-source network monitoring system with a web UI used to configure devices, credentials, and operational settings.
CVE-2026-6204 describes an authenticated remote code execution issue where an attacker with administrative privileges can abuse the Binary Locations configuration (the feature that lets admins set absolute paths for diagnostic binaries) together with the Netcommand feature to run attacker-chosen commands/scripts on the LibreNMS server.
The GitHub security advisory describes the execution path as:
- Admin-configurable binary paths at
/settings/external/binaries. - Tool invocation through the
GET /ajax/netcmdendpoint (e.g.,cmd=whois), where the advisory explains an input filter can be bypassed.
| Item | Source value |
|---|---|
| Vulnerability | Authenticated remote code execution (RCE) via binary path abuse |
| CWE | CWE-78 OS Command Injection |
| Severity | CVSS v4.0 8.5 (High) |
| CVSS vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
| Affected versions (CVE record) | librenms versions < 26.3.0 |
| Patched version (GitHub advisory) | 26.3.0 |
This is a high-signal “admin-to-host” breakout pattern: any environment that treats the LibreNMS web UI as just a monitoring dashboard (versus a host-admin surface) is likely underestimating the blast radius.
Who is impacted
- Deployments running
librenms/librenmsversions before26.3.0. - Environments where LibreNMS administrator accounts exist (human admins, shared admin accounts, or automation) and can reach the affected settings and endpoints.
- Higher-risk setups where the LibreNMS server can reach internal systems or has access to sensitive credentials (common in monitoring stacks).
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the GitHub advisory lists
26.3.0as patched). - Treat LibreNMS admin access as equivalent to server administration for threat modeling purposes: reduce admin account count, enforce strong auth, and restrict admin UI exposure.
- Audit for signs of abuse around binary path configuration and
GET /ajax/netcmdusage (unexpected binary path changes; unusualnetcmdinvocations). - If compromise is suspected, assume the LibreNMS host identity and reachable secrets may be exposed (monitoring credentials, API tokens) and respond accordingly.
"Loading Binary Path from a config file instead of exposing settings in WebUI can eliminate this issue."
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.