Cyber Posture

CVE-2026-34578

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0021 42.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username…

more

field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of username inputs to LDAP search filters, preventing injection of metacharacters as seen in this CVE.

SI-2 Flaw Remediation good match
prevent

Mandates timely remediation of the specific LDAP injection flaw fixed in OPNsense 26.1.6 via patching.

IA-6 Authentication Feedback good match
prevent

Obscures authentication feedback to prevent enumeration of valid LDAP usernames through observable responses to injected filters.

Security SummaryAI

CVE-2026-34578 is an LDAP injection vulnerability in OPNsense, a FreeBSD-based firewall and routing platform. Prior to version 26.1.6, the LDAP authentication connector passes the login username directly into an LDAP search filter without proper escaping via ldap_escape(), enabling injection of LDAP filter metacharacters. This flaw affects the WebGUI login page when LDAP authentication is configured and is classified under CWE-90 with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).

An unauthenticated remote attacker can exploit this vulnerability by submitting specially crafted input in the username field during login attempts. This allows enumeration of valid LDAP usernames in the configured directory by observing LDAP server responses. Additionally, if the LDAP configuration includes an Extended Query restricting logins to members of a specific group, the injection can bypass this restriction, enabling authentication as any LDAP user whose password is known, irrespective of group membership.

The vulnerability is addressed in OPNsense 26.1.6, where the fix involves proper escaping of the username in the LDAP search filter, as detailed in the commit at https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e and the GitHub Security Advisory at https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54. Security practitioners should upgrade to 26.1.6 or later and review LDAP configurations for exposure.

Details

CWE(s)
CWE-90

Affected Products

opnsense
opnsense
≤ 26.1.6

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1087.002 Domain Account Discovery
Adversaries may attempt to get a listing of domain accounts.
attack.mitre.org →
Why these techniques?

CVE enables exploitation of a public-facing web application (T1190) via LDAP injection on the WebGUI login, allowing unauthenticated remote username enumeration (T1087.002) and bypass of group restrictions for authentication.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References