Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.
Published: 2026-04-09
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: LDAP Injection enabling username enumeration and potential group bypass
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an LDAP injection in OPNsense's authentication mechanism. By entering LDAP filter characters into the username field of the WebGUI login page, an unauthenticated attacker can cause the gateway to perform arbitrary LDAP searches. This allows enumeration of valid LDAP usernames and, when the LDAP server is configured with an Extended Query that restricts login to a specific group, enables an attacker to bypass that restriction and authenticate as any LDAP user for whom they know the password. The weakness follows cwe.mitre.org data definitions 90.

Affected Systems

The flaw exists in the OPNsense core platform, affecting every installation that runs a version earlier than 26.1.6. The vulnerability is tied to the LDAP authentication connector and is present as long as the default login form is used. The CPE indicates the product is opnsense:opnsense.

Risk and Exploitability

The CVSS score of 8.2 places this issue in the high severity range. Although the EPSS score is below 1%, indicating low estimated exploitation probability, the flaw is not listed in CISA's KEV catalog. An attacker with network access to the WebGUI can exploit the injection without authentication. Successful exploitation could lead to unauthorized enumeration of directory users and potential elevation of privileges by bypassing group restrictions. The attack path is straightforward and requires only the ability to submit a crafted username.

Generated by OpenCVE AI on April 14, 2026 at 21:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 26.1.6 or later update to eliminate the injection flaw
  • Limit exposure of the WebGUI by restricting it to trusted networks or requiring VPN
  • Disable or remove the LDAP authentication connector if not required for operation

Generated by OpenCVE AI on April 14, 2026 at 21:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Opnsense opnsense
CPEs cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*
Vendors & Products Opnsense opnsense

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Opnsense
Opnsense core
Vendors & Products Opnsense
Opnsense core

Thu, 09 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.
Title OPNsense has an LDAP Injection via Unsanitized Username in Authentication
Weaknesses CWE-90
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Opnsense Core Opnsense
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T17:45:23.099Z

Reserved: 2026-03-30T16:56:30.998Z

Link: CVE-2026-34578

cve-icon Vulnrichment

Updated: 2026-04-09T17:45:11.030Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T15:16:10.777

Modified: 2026-04-14T20:14:24.660

Link: CVE-2026-34578

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:00:07Z

Weaknesses