CVE-2026-26794 identifies a critical SQL injection vulnerability in the GL-iNet GL-AR300M16 router firmware version 4.3.11. The vulnerability resides in the add_group() function, which is responsible for managing group-related data within the device's backend database. Due to insufficient input validation and sanitization, an attacker can craft a malicious HTTP request that injects arbitrary SQL commands. This allows unauthorized manipulation of the router's internal database, potentially leading to unauthorized data access, modification, or deletion. The vulnerability requires network-level access and low privileges (PR:L), but no user interaction is necessary, facilitating remote exploitation. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with an attack vector of network (AV:N), low attack complexity (AC:L), and no user interaction (UI:N). Although no public exploits have been reported, the severity and ease of exploitation make this a significant threat. The lack of available patches increases the urgency for mitigation. This vulnerability falls under CWE-89, the common weakness enumeration for SQL injection, a well-known and widely exploited class of vulnerabilities in web-facing applications and embedded devices.

The impact of CVE-2026-26794 is substantial for organizations deploying the GL-iNet GL-AR300M16 routers, especially in environments where these devices manage sensitive network segments or critical infrastructure. Exploitation can lead to unauthorized disclosure of sensitive configuration data, credentials, or user information stored in the router’s database. Attackers could alter device configurations, create persistent backdoors, or disrupt network availability by corrupting database entries, resulting in denial of service. This compromises the confidentiality, integrity, and availability of the affected systems. Given the router’s role as a network gateway, successful exploitation could serve as a pivot point for lateral movement within corporate or industrial networks, amplifying the overall risk. The absence of patches and known exploits in the wild suggests a window of opportunity for attackers to develop and deploy exploits, potentially targeting organizations before mitigations are in place.

To mitigate CVE-2026-26794 effectively, organizations should implement the following measures: 1) Immediately restrict access to the router’s management interface by enforcing network segmentation and firewall rules to limit HTTP access to trusted administrators only. 2) Monitor network traffic for anomalous HTTP requests targeting the add_group() function or unusual SQL-like payloads indicative of injection attempts. 3) Disable or limit remote management features if not strictly necessary, reducing the attack surface. 4) Regularly audit router configurations and logs for signs of unauthorized changes or suspicious activity. 5) Engage with GL-iNet support channels to obtain information on forthcoming patches or firmware updates addressing this vulnerability and apply them promptly once available. 6) Consider deploying intrusion detection or prevention systems capable of detecting SQL injection patterns at the network perimeter. 7) For critical environments, evaluate replacing affected devices with models confirmed to be free of this vulnerability or with vendor support for timely security updates.