Description
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
Published: 2026-05-05
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A newline injection vulnerability in the dns.interface field of Pi‑hole FTL allows an attacker to insert arbitrary directives into the generated dnsmasq configuration file. The attacker can add commands such as dhcp-script=/tmp/p fit, which is then executed when the host processes DHCP leases. Since Pi‑hole’s configuration API is exposed without credentials on installations lacking an admin password, a network‑adjacent attacker can exploit this flaw without authentication and achieve arbitrary command execution on the underlying host, giving full control over both the device and the network it serves.

Affected Systems

Pi‑hole FTL versions prior to 6.6.1 on deployments with the default unsecured configuration (no admin password).

Risk and Exploitability

The CVSS score of 8.7 signals a high severity impact with moderate complexity. The EPSS score is not available, but the vulnerability’s presence in the default configuration exposes it widely. It is not listed in CISA’s KEV catalog, yet the lack of authentication and the ability to persist changes across reboots increases the likelihood of exploitation. An attacker operating on the local network can trigger the breach by submitting a crafted request to the unsecured API, after which the malicious payload will execute during any DHCP lease transaction.

Generated by OpenCVE AI on May 5, 2026 at 22:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole FTL to version 6.6.1 or later, which removes newline handling in the dns.interface field.
  • If an upgrade is not immediately possible, configure a strong admin password to lock down the configuration API and prevent unauthenticated access.
  • Remove any injected lines from /etc/pihole/pihole.toml and disable the built‑in DHCP server or ensure dhcp-script entries are corrected; then restart Pi‑hole to apply changes.

Generated by OpenCVE AI on May 5, 2026 at 22:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole ftldns
Vendors & Products Pi-hole
Pi-hole ftldns

Tue, 05 May 2026 21:15:00 +0000

Type Values Removed Values Added
Description Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. In versions before 6.6.1, the `dns.interface` configuration field in Pi-hole FTL accepted newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set (the default for many deployments), the configuration API is fully accessible without credentials, allowing a network-adjacent attacker to inject the payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device on the network requests a DHCP lease. The injected value is persisted to /etc/pihole/pihole.toml and survives restarts. The strncpy in the code path limits the total interface field to 31 bytes, but payloads such as wlan0\ndhcp-script=/tmp/p fit within this constraint. The dnsmasq config validation introduced in FTL 6.6 only checks syntactic validity, so valid directives injected via newline pass validation successfully. This issue has been fixed in version 6.6.1.
Title Pi-hole FTL remote code execution via newline injection in dns.interface configuration
Weaknesses CWE-93
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T20:50:26.021Z

Reserved: 2026-04-07T19:13:20.378Z

Link: CVE-2026-39849

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T21:16:22.677

Modified: 2026-05-05T21:16:22.677

Link: CVE-2026-39849

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:00:09Z

Weaknesses