LuCI DHCPv6 Lease Hostname Stored Cross-Site Scripting Vulnerability (CVE-2026-61876)
LuCI versions are vulnerable to CVE-2026-61876, a stored Cross-Site Scripting (XSS) flaw in their DHCPv6 lease hostname rendering logic, allowing an adjacent network attacker to inject malicious HTML markup that executes in an administrator's browser when viewing DHCP lease status pages.
CVE-2026-61876 identifies a high-severity stored Cross-Site Scripting (XSS) vulnerability affecting LuCI, the default web interface for OpenWrt-based routers and network devices. This flaw arises from LuCI's failure to properly encode DHCPv6 lease hostnames before displaying them in administrative status tables. An attacker with adjacent network access can craft a malicious DHCPv6 Client FQDN containing script tags or other HTML markup. When an administrator subsequently views the DHCPv6 lease status page within the LuCI web interface, the injected malicious code executes in their browser. This client-side code execution can lead to various compromises within the administrative session, including session hijacking, credential theft, or unauthorized actions within the LuCI interface.
Attack Chain
- An attacker gains presence on the same adjacent network segment as the vulnerable LuCI-managed OpenWrt device.
- The attacker crafts a DHCPv6 Client Fully Qualified Domain Name (FQDN) containing a malicious XSS payload, such as
<script>alert(document.domain)</script>. - The attacker sends a DHCPv6 request to the OpenWrt device, including the malicious FQDN in the request.
- The OpenWrt device, running the LuCI web interface, processes the DHCPv6 request and stores the malicious FQDN in its internal DHCP lease table.
- An administrator logs into the LuCI web interface and navigates to the DHCPv6 lease status page to view network client information.
- The LuCI web interface queries the stored DHCP lease data, retrieves the malicious FQDN, and constructs an HTML response for the administrator's browser.
- Due to improper encoding, LuCI embeds the attacker's malicious FQDN directly into the HTML without sanitization.
- The administrator's browser renders the page, executing the injected script within the context of the LuCI administrative interface, potentially leading to session hijacking or further compromise.
Impact
Successful exploitation of CVE-2026-61876 results in client-side code execution within an administrator's browser while they are logged into the LuCI web interface. This can lead to session hijacking, allowing the attacker to take over the administrator's session and perform actions on the OpenWrt device. Attackers could also steal credentials, deface the administrative interface, or redirect the administrator to malicious websites. Such compromise of a router's administrative interface could grant attackers control over network configuration, traffic routing, and potentially provide a foothold for further attacks against the internal network.
Recommendation
- Patch CVE-2026-61876 by updating LuCI to a version that properly encodes DHCPv6 lease hostnames. Refer to the OpenWrt project's advisories for specific version updates.
- Implement network segmentation to restrict DHCPv6 requests to trusted devices and prevent adjacent network attackers from reaching the router's DHCP service.
- Educate administrators on the risks of XSS and suspicious behavior when interacting with web interfaces, even trusted ones.