Description
Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200.
Published: 2026-05-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an attacker to bypass authentication on certain GL.iNet routers by submitting a specially crafted username that is both a syntactically valid SQL statement and a regular expression. The resulting authentication bypass grants full administrative access, enabling the attacker to alter device configuration, install malware, or disrupt network services. The weakness is a direct exploitation of improper input validation and authorization checks, putting the confidentiality, integrity, and availability of the network infrastructure at risk.

Affected Systems

Affected devices are GL.iNet routers running the 4.x firmware series, specifically models GL-MT3000, GL-AR300M, GL-B1300, GL-AX1800, GL-AR750S, GL-MT2500, GL-AXT1800, GL-X3000, and GL-SFT1200. The vulnerability has been confirmed for firmware version 4.3.7; other 4.x releases are likely affected but not explicitly confirmed in the available data.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, and the EPSS score of <1% indicates a low likelihood of exploitation in the near term. Nonetheless, the remote authentication bypass allows an attacker to gain full administrative control, which is a high‑impact capability. The attack vector is inferred to be local or remote management interfaces, where an attacker sends a specially crafted username to the login endpoint. The vulnerability is not listed in the CISA KEV catalog, so no widespread exploitation is reported yet, but the potential for targeted attacks remains significant.

Generated by OpenCVE AI on May 8, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from GL.iNet that resolves the username injection flaw to eliminate the authentication bypass. This is the highest priority action, as it directly removes the vulnerability.
  • If a firmware upgrade cannot be performed immediately, isolate the device by disabling remote management services and restricting access to the router’s web interface to trusted local clients only. This reduces the attack surface exposed to potential attackers.
  • Implement strict account controls on the router: enforce strong, unique passwords for all user accounts, and consider disabling default or unused accounts. Monitor management logs for suspicious login attempts.

Generated by OpenCVE AI on May 8, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://www.exploit-db.com/exploits/51865 cve-icon cve-icon cve-icon
History

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Gl-inet
Gl-inet glinet Devices
Vendors & Products Gl-inet
Gl-inet glinet Devices

Fri, 08 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via SQL Injection in GL.iNet 4.x Firmware Devices
Weaknesses CWE-284

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 08:30:00 +0000

Type Values Removed Values Added
Title Authentication Bypass via SQL Injection in GL.iNet 4.x Firmware Devices
Weaknesses CWE-284
CWE-89

Fri, 08 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200.
References

Subscriptions

Gl-inet Glinet Devices
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T18:59:23.304Z

Reserved: 2023-10-23T00:00:00.000Z

Link: CVE-2023-46453

cve-icon Vulnrichment

Updated: 2026-05-08T18:55:34.508Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T07:16:27.850

Modified: 2026-05-08T20:16:28.533

Link: CVE-2023-46453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:51:45Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')