Home/ Blog/ Security news/ Article
Blog · Security news

Two flaws in Unraid's control panel let a logged-in user seize the whole server

Two command injection flaws in Unraid's web panel, CVE-2026-9772 and CVE-2026-9773, let any logged-in user run code as www-data. Both are fixed in version

Isometric stack of sealed drawers with one front drawer sliding open
By Suriq's Jack · ·Security news · 4 min read Mitigate now

If you run an Unraid box, the most important security control on it is no longer the login screen. On June 24, 2026, Trend Micro's Zero Day Initiative published two advisories for the Unraid web management panel, and both end the same way: any account that can log in can run operating-system commands on the server. Update to Unraid 7.3.0, and if that panel is reachable from the internet, treat that as the more urgent half of the job.

What was disclosed

The two bugs sit in different parts of the same web server. CVE-2026-9773 lives in ToggleState.php; its sibling CVE-2026-9772 lives in FileUpload.php. Each is an OS command injection: the code takes a value the user controls and hands it to a system call without scrubbing it first, so a crafted value is executed as a shell command instead of being treated as data. Both earned a CVSS score of 8.8, and both run the attacker's commands as www-data, the account the web interface itself runs under.

The Zero Day Initiative is also the CVE Numbering Authority here, and the cve.org record classifies the ToggleState flaw as CWE-78, OS command injection. Unraid was notified on April 22 and shipped the fix in version 7.3.0, whose release notes describe broader hardening of how the web interface handles authenticated requests. The advisories went public on June 24.

"Authentication required" is doing less work than it sounds

Both advisories list authentication as a precondition, and that does take these out of internet-scanner-finds-you territory. It does not make them low risk. Unraid is a single-administrator appliance: the web panel is the entire management surface for storage arrays, Docker containers, and virtual machines, and a working login is often one shared password away. Many owners expose that panel directly to the internet, or put it behind a thin reverse proxy, precisely because it is how they manage the box remotely. In that setup the login page is the only thing standing between a reused or phished credential and a shell on the host.

There is a second, quieter risk. A command injection that needs a valid session is exactly the kind of bug that pairs with an authentication-bypass flaw to become a full unauthenticated chain. Unraid has had auth-bypass issues before. Treat an authenticated RCE not as a contained problem but as the back half of an exploit chain someone may complete later.

The pattern is worth more than either bug

Two separate command-injection sinks in one web application, disclosed on the same day, is not a coincidence of bad luck. It points at a class of input handling where user-supplied values reach shell calls without a consistent validation layer in between. Fixing the two reported entry points is necessary; assuming they were the only two would be the mistake. This is the same shape of problem that keeps showing up in self-hosted management software, from services that ship unlocked by default to exposed device management interfaces: the admin plane is powerful, it runs with real privilege, and one missed sanitization turns a feature into a foothold.

Update to 7.3.0, then get the panel off the internet

The fix order matters here.

  • Update to Unraid 7.3.0 (or later). This is the only step that actually closes both bugs. If you cannot update immediately, shrink who can reach the panel.
  • Take the web GUI off the public internet. Reach it over a VPN, a private tunnel, or Unraid's own remote-access option instead of a forwarded port. This blunts both the credential-theft path and any future auth-bypass chain.
  • Use a strong, unique administrator password. Because the precondition is a valid login, password reuse is the realistic way in. Rotate it if it has ever been shared or reused.

On the detection side, the useful signal is process lineage. Command execution as www-data means the web server's PHP worker spawning a shell or a network tool it has no business launching. Watch for child processes of the web stack that are not part of normal operation, unexpected outbound connections from the NAS, and new scheduled tasks. On an appliance that should mostly serve files and run a fixed set of containers, the baseline is quiet enough that a shell spawned by the web panel stands out. This is the same instinct that pays off with other host-level escapes: the host should not be surprising you with new processes.

Unraid sits in a lot of homelabs and small-business racks, which is exactly why it is worth treating this as today's work rather than next month's. The fix is one version bump. The harder, more durable change is deciding that a storage appliance's control panel does not belong on the open internet.

Topics
Cloud securityZero-daysRemote code execution

Frequently asked questions

Which Unraid versions are affected by CVE-2026-9772 and CVE-2026-9773?

Both flaws are fixed in Unraid 7.3.0, so any release before 7.3.0 should be treated as affected. The Zero Day Initiative advisories ZDI-26-385 and ZDI-26-386 name version 7.3.0 stable as the fixed build. Update to 7.3.0 or later to close them.

Can these Unraid flaws be exploited without logging in?

No. Both advisories list authentication as a precondition, so an attacker needs a valid Unraid login first. That lowers the risk from internet-wide scanning, but a reused or phished password still reaches the bug, and an authenticated flaw like this can be chained with an authentication-bypass flaw to remove that requirement.

What can an attacker do with CVE-2026-9773?

An attacker can run arbitrary operating-system commands on the Unraid server as the www-data account, the user the web interface runs under. From there they can read or tamper with what that account can reach, including the management surface for storage, containers, and virtual machines, and potentially pursue further privilege escalation.

How do I detect exploitation of these Unraid bugs?

Watch process lineage on the server. Command execution as www-data shows up as the web stack's PHP worker spawning a shell or network tool it normally never launches. Flag unexpected child processes of the web server, unusual outbound connections from the NAS, and new scheduled tasks against the appliance's quiet baseline.

What is the fastest way to reduce risk if I cannot update right now?

Take the Unraid web panel off the public internet. Reach it over a VPN, a private tunnel, or Unraid's remote-access option instead of a forwarded port, and rotate the administrator password if it has ever been reused. These steps blunt the credential-theft path until you can install version 7.3.0.

Keep reading
Security news

A rigged container image can seize root on the host running Docker's AI agent tools

CVE-2026-55887 lets a malicious container image escape Docker's MCP Gateway and run code as root on the host. Rated 8.7. Affected 0.21.0 to 0.42.1; fixed in

Suriq's Jack · Jun 25, 2026
Security news

A new flaw lets attackers take over Quest NetVault backup servers, login or not

CVE-2026-7570 is a SQL-injection-to-remote-code-execution flaw in Quest NetVault Backup, rated 8.8. The login can be bypassed. Quest fixed it in 14.0.2.

Noam Alum · Jun 24, 2026
Security news

Police seized the malware that stole 27 million passwords. The passwords still work.

Operation Endgame seized the servers behind the Amadey and StealC malware, but the 27 million credentials they already stole stay valid until you rotate them.

Suriq's Jack · Jun 24, 2026

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.

Request access Meet the clan