CVE-2026-26794 identifies a SQL injection vulnerability in the GL-iNet GL-AR300M16 router firmware version 4.3.11. The vulnerability resides in the add_group() function, which processes HTTP requests to add user groups or similar entities. Due to insufficient input sanitization, an attacker can craft malicious HTTP requests that inject arbitrary SQL commands into the backend database. This can lead to unauthorized reading, modification, or deletion of sensitive data stored on the device, including configuration settings and user credentials. The vulnerability does not require authentication, meaning attackers can exploit it remotely without prior access. Although no public exploits have been reported yet, the nature of SQL injection vulnerabilities makes them highly exploitable once discovered. The affected device is a popular embedded router used in various regions for small office and home networking. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors. The vulnerability compromises confidentiality, integrity, and potentially availability of the device’s data and functions. Given the ease of exploitation and the critical role of routers in network security, this vulnerability poses a significant risk to affected users.

The impact of CVE-2026-26794 is substantial for organizations and individuals using the GL-iNet GL-AR300M16 router. Successful exploitation can lead to unauthorized access to sensitive configuration data, user credentials, and network settings, potentially allowing attackers to manipulate network traffic or pivot to internal networks. This can result in data breaches, network downtime, or further compromise of connected systems. Since the vulnerability does not require authentication, attackers can remotely exploit it without prior access, increasing the attack surface. For organizations relying on these devices for secure connectivity, this vulnerability undermines network integrity and confidentiality. Additionally, compromised routers can be used as footholds for launching broader attacks, including man-in-the-middle or denial-of-service attacks. The absence of known exploits currently limits immediate widespread impact, but the vulnerability’s presence in widely deployed devices means the risk of future exploitation is high.

To mitigate CVE-2026-26794, organizations and users should prioritize the following actions: 1) Apply firmware updates from GL-iNet as soon as a patch addressing this vulnerability is released. Monitor official vendor channels for announcements. 2) If patches are not yet available, implement network-level protections such as firewall rules to restrict HTTP access to the router’s management interface from untrusted networks. 3) Disable remote management features on the device unless absolutely necessary, reducing exposure to external attackers. 4) Employ network segmentation to isolate vulnerable devices from critical infrastructure. 5) Conduct regular audits of router configurations and logs to detect suspicious activity indicative of exploitation attempts. 6) Consider deploying web application firewalls or intrusion detection systems capable of identifying and blocking SQL injection payloads targeting the router’s HTTP interface. 7) Educate users about the risks of exposing router management interfaces to the internet. These targeted mitigations go beyond generic advice by focusing on immediate risk reduction until official patches are available.