Security Advisories (Vulnerabilities and CVEs) April 15 2026
Dear all,
In this post, you will find a list of vulnerabilities and CVEs we've recently found on particular GL.iNet KVM models.
Please check the firmware versions affected by the vulnerabilities and CVEs. If you're affected, you are strongly advised to upgrade your KVM to the firmware version containing the fixes as soon as possible.
| Model Number | Affected Firmware Version | Resolved Firmware Version |
|---|---|---|
| GL-RM1 | V1.8.1 and earlier | V1.8.2 |
| GL-RM10 | ||
| GL-RM10RC | ||
| GL-RM1PE | V1.8.0 and earlier |
CVE-2026-32290
- Summary: KVM does not sufficiently verify the authenticity of uploaded firmware files.
- Credit to: Eclypsium
CVE-2026-32291
- Summary: KVM does not require authentication on the UART serial console.
- Credit to: Eclypsium
CVE-2026-32292
- Summary: An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.
- Credit to: Eclypsium
CVE-2026-32293
- Summary: An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.
- Credit to: Eclypsium
CVE-2026-5959
- Summary: This vulnerability fails to clear the user binding relationship after a user binds to the device and then resets it.
- Credit to: Dustin Eastman
This is annoucement other than discussion. To report Security bugs, pls send email to security@gl-inet.com. We have a 90-day policy for vulnerability disclosure.