CVE-2026-6204
Published: 13 April 2026
Summary
CVE-2026-6204 is a high-severity OS Command Injection (CWE-78) vulnerability in Librenms Librenms. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the authenticated RCE vulnerability by requiring timely remediation through patching LibreNMS to version 26.3.0 or later.
Prevents OS command injection (CWE-78) in Binary Locations configuration and Netcommand by validating and sanitizing untrusted inputs.
Reduces exploitability by configuring LibreNMS to disable or restrict unnecessary features like Netcommand and Binary Locations if not essential.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated OS command injection (CWE-78) in public-facing web app enables remote code execution via Unix shell commands.
NVD Description
LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.
Deeper analysisAI
CVE-2026-6204 is an authenticated remote code execution vulnerability in LibreNMS versions before 26.3.0. The issue stems from abusing the Binary Locations configuration and the Netcommand feature, enabling OS command injection as classified under CWE-78. Published on 2026-04-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high-impact potential within a privileged context.
An authenticated attacker with administrative privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary code on the underlying web server, resulting in high confidentiality, integrity, and availability impacts, up to full server compromise.
The LibreNMS GitHub security advisory (GHSA-pr3g-phhr-h8fh) and a Project Black blog post detailing the authenticated RCE provide additional technical details, including a proof-of-concept for the binary path RCE. Affected versions before 26.3.0 should be upgraded to mitigate the vulnerability.
Details
- CWE(s)