CVE-2026-34578

HIGH EPSS 33.3%
Published Apr 9, 20262mo ago · Modified Jun 17, 20261w ago
8.2 CVSS 3.1
High
Find Similar
Published Apr 9, 2026 2mo ago
Last Modified Jun 17, 2026 1w ago

Description

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.

CVSS Details

Base Score
8.2
Exploitability
3.9
Impact
4.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
33.3% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-90

Affected Products 1

VendorProductVersionRange
opnsenseopnsense* <26.1.6

References 2

  • github.com https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e
    Patch
  • github.com https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e
    Patch