Skip to content
Threat Feed
low advisory

CVE-2026-62184 - luci-app-banip Log Parsing Vulnerability

A log parsing vulnerability in OpenWrt's luci-app-banip allows an unauthenticated remote attacker to inject arbitrary IPv4 addresses into log lines via crafted input fields, leading to the misidentification and blocking of legitimate users or services while the true attacker remains unblocked.

A significant vulnerability, CVE-2026-62184, has been identified in luci-app-banip, an application designed for banIP functionality on OpenWrt systems. This flaw stems from a log parsing issue where the awk-based parser in luci-app-banip indiscriminately extracts the first IPv4 address it encounters in log lines, regardless of its actual position or context. This design error allows an unauthenticated remote attacker to inject an arbitrary IP address into an attacker-controlled input field, such as a login username. By leveraging this vulnerability, an attacker can manipulate luci-app-banip to incorrectly identify and block a legitimate target's IP address, effectively causing a denial of service for an innocent party, while the attacker's true origin IP remains unblocked and free to continue malicious activities.

Attack Chain

  1. An unauthenticated attacker identifies and accesses a system running luci-app-banip.
  2. The attacker attempts to interact with an application function that logs user-controlled input, such as a login attempt using a username field.
  3. The attacker crafts the input field (e.g., username) to include a legitimate IPv4 address embedded within a seemingly normal string (e.g., validuser;1.2.3.4).
  4. The luci-app-banip application processes the interaction, generating a log entry containing the crafted input.
  5. The awk-based parser within luci-app-banip analyzes this log entry for potential malicious IP addresses.
  6. Due to the parsing vulnerability, luci-app-banip incorrectly extracts the embedded IP address (1.2.3.4) as the malicious source IP.
  7. luci-app-banip then initiates an action to block the system associated with the extracted IP address (1.2.3.4), which belongs to a legitimate user or service.
  8. The legitimate user or service at 1.2.3.4 experiences a denial of service due to being mistakenly blocked, while the attacker's actual IP address remains unblocked, allowing them to persist.

Impact

This vulnerability can lead to significant disruption and operational challenges. If successfully exploited, luci-app-banip will mistakenly block legitimate users or services, causing a denial of service for innocent parties. This can impact critical system access, interrupt network operations, and create a false sense of security for defenders as the true attacker remains unblocked and undetected by the banIP mechanism. While no specific victim counts or sectors were identified in the disclosure, any organization utilizing luci-app-banip on OpenWrt is susceptible to this type of evasion and misdirection, potentially leading to prolonged attacks or service outages.

Recommendation

  • Patch CVE-2026-62184 by updating luci-app-banip to a version that addresses the log parsing vulnerability.
  • Monitor log sources for luci-app-banip for repeated blocking of known legitimate IP addresses that do not originate suspicious activity.
  • Review authentication logs for luci-app-banip-enabled systems for unusual login attempts that contain embedded IP addresses in username or other input fields.