Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN627
_____________________________________________________________________

DATE                : 12/06/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running librenms (Composer) versions
                                  prior to 26.5.0.

=====================================================================
https://github.com/librenms/librenms/security/advisories/GHSA-c9fv-cgmm-2wg7
_____________________________________________________________________

Remote Code Execution by Signal Alert Transportation module
High
laf published GHSA-c9fv-cgmm-2wg7 Jun 10, 2026

Package
librenms/librenms (Composer)

Affected versions
>= 21.6.0

Patched versions
26.5.0


Description

Summary

A vulnerability has been identified that allows an authenticated
administrator to execute arbitrary code on the host server. By
adding an alert transport entry, an attacker with administrative
privileges can execute malicious commands.


Details

The vulnerability is caused by an unsafe exec call in deliverAlert
function of LibreNMS/Alert/Transport/Signal.php. Escapes for the
path of signal-cli and the Recipient field are insufficient to
prevent command-line injection.

The composer_wrapper.php under scripts is also vulnerable to
command injection (unsafe exec calls) by passing the injected
command as an argument, and it is accepting arguments passed by
deliverAlert.

By chaining these unsafe exec calls, malicious admin user can
execute any executables in the server's filesystem.


PoC

    Under Dashboard -> Alert -> Alert Transports

image

    Create a new Alert Transport entry.
    a. Select Signal as Transport type.
    b. Put ../scripts/composer_wrapper.php into Path.
    c. Put the command to execute under Recipient with ;
at the start and the end of string.

image

    . Click Save Transport, and after the popup closed,
click Test Transport button under Action of the created
Alert Transport entry.

image

    The command is executed.

image


Impact

This vulnerability allows a malicious actor to achieve Remote
Code Execution (RCE), potentially leading to complete system
compromise, data exfiltration, or lateral movement within the
network.


Remediation Advice

Escape user inputs, and avoid passing them directly into exec
function. (scripts/composer_wrapper.php)

Avoid setting executable paths directly in web interface.
Instead, use a config value, and only allow setting executable
paths by command line interface.
(LibreNMS/Alert/Transport/Signal.php)


Severity
High

CVE ID
No known CVE

Weaknesses
Weakness CWE-77

Credits

    @YuriNek0 YuriNek0 Reporter


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================