The vulnerability CVE-2026-26791 affects the GL-iNet GL-AR300M16 router running firmware version 4.3.11. It is a command injection flaw categorized under CWE-77, which arises from improper input validation of the 'port' parameter in the enable_echo_server function. This function likely controls an echo server feature on the device, and the lack of sanitization allows an attacker to inject arbitrary shell commands. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, making it highly accessible to attackers. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability all rated high (C:H/I:H/A:H). Exploiting this vulnerability could allow an attacker to fully compromise the device, execute arbitrary code, disrupt network operations, or pivot into internal networks. Although no public exploits are currently known, the vulnerability's characteristics suggest it could be weaponized quickly. The absence of a patch link indicates that a fix may not yet be available, emphasizing the urgency for mitigation and monitoring.

The impact of CVE-2026-26791 is severe for organizations using the GL-iNet GL-AR300M16 routers. Successful exploitation can lead to complete device compromise, allowing attackers to execute arbitrary commands with root privileges. This can result in unauthorized access to internal networks, interception or manipulation of network traffic, disruption of network services, and potential lateral movement to other critical infrastructure. The confidentiality of sensitive data passing through the device can be compromised, integrity of network configurations and data can be altered, and availability of network services can be disrupted or denied. Given the router’s role as a network edge device, exploitation could serve as a foothold for broader attacks within enterprise or home networks. The lack of authentication and user interaction requirements increases the risk of automated exploitation and wormable attacks. Organizations relying on these devices for secure connectivity or IoT deployments face heightened risk, potentially affecting business continuity and data security.

To mitigate CVE-2026-26791, organizations should immediately restrict external network access to GL-iNet GL-AR300M16 devices by implementing firewall rules that limit management interfaces to trusted IP addresses only. Disable the echo server feature if it is not required, as this reduces the attack surface. Monitor network traffic and device logs for unusual commands or connections that could indicate exploitation attempts. Employ network segmentation to isolate vulnerable devices from critical infrastructure. Regularly check for firmware updates from GL-iNet and apply patches as soon as they become available. If a patch is not yet released, consider temporary device replacement or using alternative hardware. Additionally, implement intrusion detection/prevention systems (IDS/IPS) tuned to detect command injection patterns targeting this vulnerability. Educate network administrators about the risk and signs of compromise related to this vulnerability to ensure rapid incident response.