CVE-2026-7067
Published: 27 April 2026
Summary
CVE-2026-7067 is a high-severity Injection (CWE-74) vulnerability in Notion (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents command injection by requiring validation and sanitization of untrusted inputs such as the DHCP Hostname argument in udhcpd.
SI-2 mandates timely remediation of flaws like this command injection vulnerability through patching or compensating controls.
SA-22 prohibits or mitigates the use of unsupported end-of-life components like the vulnerable D-Link DIR-822, where no patches are available.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in udhcpd DHCP service enables remote unauthenticated code execution on the router, mapping to exploitation of remote services (T1210) and Unix shell command execution (T1059.004).
NVD Description
A vulnerability was determined in D-Link DIR-822 A_101. The impacted element is the function system of the file /udhcpcd/dhcpd.c of the component udhcpd DHCP Service. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely.…
more
The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer.
Deeper analysisAI
CVE-2026-7067 is a command injection vulnerability affecting the D-Link DIR-822 A_101 router. The issue lies in the system function of the file /udhcpcd/dhcpd.c within the udhcpd DHCP Service component, where manipulation of the Hostname argument enables command injection. This flaw, associated with CWE-74 and CWE-77, was published on 2026-04-27 and carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L).
Remote attackers can exploit this vulnerability without authentication or user interaction by sending a specially crafted DHCP request with a malicious Hostname. Successful exploitation allows limited impacts on confidentiality, integrity, and availability, potentially enabling arbitrary command execution on the device.
Advisories note that the vulnerability only affects products no longer supported by the maintainer, with no patches available. Details on the exploit, which has been publicly disclosed, are provided in references including a Notion site analysis and VULDB entries (e.g., https://tzh00203.notion.site/D-Link-DIR-822-A1-Command-Injection-in-udhcpd-via-DHCP-Hostname-337b5c52018a80d9b638d0fa59969e6b, https://vuldb.com/vuln/359642).
The exploit is publicly available and may be utilized against vulnerable, end-of-life devices.
Details
- CWE(s)