Cyber Resilience

CVE-2026-6204

HighPublic PoCRCE

Published: 13 April 2026

Published
13 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0753 93.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6204 is a high-severity OS Command Injection (CWE-78) vulnerability in Librenms Librenms. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-6204 is an authenticated remote code execution vulnerability in LibreNMS versions before 26.3.0. The issue stems from abusing the Binary Locations configuration and the Netcommand feature, enabling OS command injection as classified under CWE-78. Published on 2026-04-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high-impact potential within a privileged context.

An authenticated attacker with administrative privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary code on the underlying web server, resulting in high confidentiality, integrity, and availability impacts, up to full server compromise.

The LibreNMS GitHub security advisory (GHSA-pr3g-phhr-h8fh) and a Project Black blog post detailing the authenticated RCE provide additional technical details, including a proof-of-concept for the binary path RCE. Affected versions before 26.3.0 should be upgraded to mitigate the vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Authenticated OS command injection (CWE-78) in public-facing web app enables remote code execution via Unix shell commands.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-51092Same product: Librenms Librenms
CVE-2026-26988Same product: Librenms Librenms
CVE-2026-26990Same product: Librenms Librenms
CVE-2020-36947Same product: Librenms Librenms
CVE-2026-2041Same product class: network monitoring / SIEM
CVE-2024-14003Same product class: network monitoring / SIEM
CVE-2020-36867Same product class: network monitoring / SIEM
CVE-2025-34284Same product class: network monitoring / SIEM
CVE-2026-2043Same product class: network monitoring / SIEM
CVE-2024-14005Same product class: network monitoring / SIEM

Affected Assets

librenms
librenms
≤ 26.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the authenticated RCE vulnerability by requiring timely remediation through patching LibreNMS to version 26.3.0 or later.

prevent

Prevents OS command injection (CWE-78) in Binary Locations configuration and Netcommand by validating and sanitizing untrusted inputs.

prevent

Reduces exploitability by configuring LibreNMS to disable or restrict unnecessary features like Netcommand and Binary Locations if not essential.

References