CVE-2026-6204
Published: 13 April 2026
Summary
CVE-2026-6204 is a high-severity OS Command Injection (CWE-78) vulnerability in Librenms Librenms. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-6204 is an authenticated remote code execution vulnerability in LibreNMS versions before 26.3.0. The issue stems from abusing the Binary Locations configuration and the Netcommand feature, enabling OS command injection as classified under CWE-78. Published on 2026-04-13, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high-impact potential within a privileged context.
An authenticated attacker with administrative privileges can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows execution of arbitrary code on the underlying web server, resulting in high confidentiality, integrity, and availability impacts, up to full server compromise.
The LibreNMS GitHub security advisory (GHSA-pr3g-phhr-h8fh) and a Project Black blog post detailing the authenticated RCE provide additional technical details, including a proof-of-concept for the binary path RCE. Affected versions before 26.3.0 should be upgraded to mitigate the vulnerability.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21908
Vulnerability details
LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated OS command injection (CWE-78) in public-facing web app enables remote code execution via Unix shell commands.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the authenticated RCE vulnerability by requiring timely remediation through patching LibreNMS to version 26.3.0 or later.
Prevents OS command injection (CWE-78) in Binary Locations configuration and Netcommand by validating and sanitizing untrusted inputs.
Reduces exploitability by configuring LibreNMS to disable or restrict unnecessary features like Netcommand and Binary Locations if not essential.