Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.
Published: 2026-04-09
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: LDAP username enumeration and group bypass via injection
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an unauthenticated attacker to inject LDAP filter metacharacters directly through the username field of the OPNsense WebGUI login page. This injection leads to LDAP enumeration of valid usernames and, if the LDAP configuration includes an Extended Query to enforce group membership, enables the attacker to authenticate as any LDAP user when that user's password is known, regardless of group restrictions. The weakness is an LDAP Injection flaw (CWE‑90) that compromises confidentiality of user identities and can compromise integrity of access controls.

Affected Systems

OPNsense, the FreeBSD‑based firewall and routing platform, is affected in all releases prior to 26.1.6 of the core product. No later versions contain the issue. Users running older firmware should identify their current release and plan an update.

Risk and Exploitability

The CVSS score of 8.2 indicates a high severity. EPSS data is not available, but the vulnerability is exploitable via the publicly reachable WebGUI login page without authentication, making it readily reachable for attackers with network access. Since it is not listed in CISA’s KEV catalog, it may not yet have known active exploitation, yet the high CVSS and remotely exploitable nature warrant prompt attention.

Generated by OpenCVE AI on April 9, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OPNsense to version 26.1.6 or later to fix the LDAP injection issue.
  • Verify that the LDAP authentication connector is properly configured and no longer passes raw usernames into the filter. If an upgrade is not immediately possible, consider disabling LDAP authentication until a patch can be applied.
  • Monitor authentication logs for unusual LDAP queries or login attempts that may indicate exploitation activity.
  • Apply any vendor‑supplied security controls, such as network segmentation or firewall rules, to limit access to the WebGUI login interface to trusted administrative networks.

Generated by OpenCVE AI on April 9, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Opnsense
Opnsense core
Vendors & Products Opnsense
Opnsense core

Thu, 09 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.
Title OPNsense has an LDAP Injection via Unsanitized Username in Authentication
Weaknesses CWE-90
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Opnsense Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T17:45:23.099Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34578

cve-icon Vulnrichment

Updated: 2026-04-09T17:45:11.030Z

cve-icon NVD

Status : Received

Published: 2026-04-09T15:16:10.777

Modified: 2026-04-09T18:16:59.307

Link: CVE-2026-34578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:32:44Z

Weaknesses