Description
Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability.

The specific flaw exists within ToggleState.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-30134.
Published: 2026-06-24
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability arises from insufficient validation of a user-supplied string in the ToggleState.php script, allowing attackers to inject arbitrary shell commands that are executed with the privileges of the www-data user. The consequence of a successful exploit is full remote code execution on the affected Unraid host. The weakness is a classic command-injection flaw (CWE‑78).

Affected Systems

All Unraid installations that include the vulnerable ToggleState.php component are affected. Exact version numbers are not provided in the advisory, so any configuration exposing this endpoint should be considered vulnerable until a patch is applied.

Risk and Exploitability

The CVSS score of 8.8 denotes high severity, and the requirement for authentication limits exploitation to users with valid credentials to the Unraid web interface. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need network access to the Unraid web interface and valid login credentials to supply malicious input to the toggle state API endpoint, after which arbitrary code is executed as www-data.

Generated by OpenCVE AI on June 25, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and install the latest Unraid update that addresses the ToggleState command injection flaw.
  • Restrict external access to the Unraid web server, for example by firewalling the port or placing the host behind a reverse proxy that limits exposed endpoints.
  • Enforce strong authentication or enable two‑factor authentication on the Unraid web interface to reduce the likelihood that compromised credentials can be used to exploit the vulnerability.

Generated by OpenCVE AI on June 25, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within ToggleState.php. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the www-data user. Was ZDI-CAN-30134.
Title Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability
Weaknesses CWE-78
References
Metrics cvssV3_0

{'score': 8.8, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-06-24T21:35:35.679Z

Reserved: 2026-05-27T22:10:25.320Z

Link: CVE-2026-9773

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T00:30:03Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')