Platform
linux
Component
opnsense
Fixed in
26.1.7
CVE-2026-34578 is a high-severity vulnerability affecting OPNsense Firewall versions 26.0.0 through 26.1.6. This vulnerability allows unauthenticated attackers to inject LDAP filter metacharacters into the username field during login, potentially leading to sensitive information disclosure or unauthorized access. The vulnerability is due to the lack of proper escaping of the username when constructing LDAP search filters. A fix is available in version 26.1.6.
An attacker can exploit this vulnerability to enumerate valid usernames within the configured LDAP directory. This information can be used for targeted attacks or credential stuffing attempts. More critically, if the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be leveraged to bypass this restriction. This allows an attacker to authenticate as any user within the LDAP directory, effectively gaining unauthorized access to the OPNsense Firewall and potentially the network it protects. The blast radius extends to any systems accessible through the firewall, depending on the privileges of the compromised user.
This vulnerability was publicly disclosed on 2026-04-09. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The CVSS score of 8.2 (HIGH) indicates a significant risk. It is not listed on the CISA KEV catalog as of this writing, but its potential for privilege escalation warrants close monitoring.
Exploit Status
EPSS
0.21% (43% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34578 is to upgrade OPNsense Firewall to version 26.1.6 or later. If upgrading is not immediately feasible, consider temporarily disabling LDAP authentication or restricting access to the WebGUI to trusted users. Implement strict input validation on the username field to prevent the injection of special characters. Monitor LDAP logs for suspicious activity, specifically looking for unusual search patterns or attempts to access restricted resources. After upgrade, confirm by attempting a login with a username containing LDAP metacharacters to ensure the escaping mechanism is functioning correctly.
Update OPNsense to version 26.1.6 or later to mitigate the LDAP injection vulnerability. This update corrects the lack of escaping of LDAP special characters in the username, preventing user enumeration and potential group restriction bypass.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34578 is a high-severity vulnerability in OPNsense Firewall versions 26.0.0 through 26.1.6 that allows unauthenticated attackers to inject LDAP filter metacharacters, potentially leading to username enumeration or unauthorized access.
If you are running OPNsense Firewall versions 26.0.0 through 26.1.6 and using LDAP authentication, you are potentially affected by this vulnerability.
Upgrade OPNsense Firewall to version 26.1.6 or later to resolve this vulnerability. Consider temporary mitigations like disabling LDAP authentication if immediate upgrade is not possible.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants proactive mitigation.
Refer to the official OPNsense security advisory for detailed information and updates: [https://opnsense.org/security/](https://opnsense.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.