CVE-2026-34578 Overview
CVE-2026-34578 is an LDAP Injection vulnerability in OPNsense, a FreeBSD-based firewall and routing platform. Prior to version 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership.
Critical Impact
Unauthenticated attackers can enumerate valid LDAP usernames and bypass group membership restrictions on the OPNsense WebGUI login, potentially gaining unauthorized access to the firewall management interface.
Affected Products
- OPNsense versions prior to 26.1.6
- OPNsense installations using LDAP authentication
- OPNsense deployments with Extended Query group restrictions
Discovery Timeline
- 2026-04-09 - CVE-2026-34578 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34578
Vulnerability Analysis
This LDAP Injection vulnerability (CWE-90) exists in the OPNsense LDAP authentication module, specifically within the LDAP.php library file. The vulnerability occurs because user-supplied input from the WebGUI login page is directly concatenated into LDAP search filter queries without proper sanitization. This allows attackers to inject LDAP filter metacharacters such as *, (, ), \, and | to manipulate query logic.
The vulnerability enables two distinct attack scenarios: First, attackers can enumerate valid LDAP usernames by crafting injection payloads that return different responses based on username validity. Second, when Extended Query restrictions are configured to limit authentication to specific group members, attackers can inject payloads that bypass these group membership checks entirely, allowing authentication as any LDAP user whose password is known—regardless of their actual group membership.
Root Cause
The root cause is missing input sanitization in the LDAP authentication flow. The $username variable received from user input is directly interpolated into the LDAP search filter string without first being passed through the ldap_escape() function with the LDAP_ESCAPE_FILTER flag. This allows LDAP filter metacharacters to be interpreted as part of the query structure rather than as literal search values.
Attack Vector
The attack is network-accessible and requires no authentication or user interaction. An attacker can access the OPNsense WebGUI login page and submit malicious usernames containing LDAP filter injection payloads. For username enumeration, an attacker might use wildcards like * or construct filter expressions that return data only when matching usernames exist. For group restriction bypass, the attacker can inject payloads that close the intended filter expression and add conditions that always evaluate to true, effectively nullifying the Extended Query group membership requirement.
// Vulnerable code - username directly interpolated into LDAP filter
// Source: https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e
// add $userNameAttribute to search results
$this->addSearchAttribute($userNameAttribute);
$result = [];
+ $username_safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
if (empty($extendedQuery)) {
- $searchResults = $this->search("({$userNameAttribute}={$username})");
+ $searchResults = $this->search("({$userNameAttribute}={$username_safe})");
} else {
// add additional search phrases
- $searchResults = $this->search("(&({$userNameAttribute}={$username})({$extendedQuery}))");
+ $searchResults = $this->search("(&({$userNameAttribute}={$username_safe})({$extendedQuery}))");
}
if ($searchResults !== false) {
for ($i = 0; $i < $searchResults["count"]; $i++) {
Source: GitHub Commit Update
Detection Methods for CVE-2026-34578
Indicators of Compromise
- Login attempts containing LDAP metacharacters such as *, (, ), \, |, or ! in the username field
- Unusual patterns of failed login attempts followed by successful authentication from the same source
- Authentication logs showing login attempts with wildcard patterns or filter expressions as usernames
- Successful LDAP authentications from users who should be restricted by group membership policies
Detection Strategies
- Monitor OPNsense authentication logs for username values containing special characters or LDAP filter syntax
- Implement Web Application Firewall (WAF) rules to detect and block LDAP injection payloads in login requests
- Configure LDAP server logging to capture and alert on malformed or suspicious search queries
- Deploy network intrusion detection rules to identify LDAP injection patterns in HTTP POST requests to the WebGUI
Monitoring Recommendations
- Enable verbose logging on both OPNsense and the connected LDAP server to capture authentication attempts
- Set up alerts for authentication anomalies, particularly successful logins from users not in permitted groups
- Regularly audit LDAP server logs for unusual query patterns or high volumes of searches
- Monitor for reconnaissance activity against the WebGUI login page from suspicious IP addresses
How to Mitigate CVE-2026-34578
Immediate Actions Required
- Upgrade OPNsense to version 26.1.6 or later immediately
- Review authentication logs for evidence of exploitation attempts prior to patching
- Audit LDAP-authenticated user access to identify any unauthorized authentications
- Consider temporarily disabling LDAP authentication and using local accounts until the patch is applied
Patch Information
OPNsense has released version 26.1.6 which addresses this vulnerability by implementing proper input sanitization using the ldap_escape() function with the LDAP_ESCAPE_FILTER flag. The fix ensures that all user-supplied input is properly escaped before being incorporated into LDAP search filters. For more details, refer to the GitHub Security Advisory GHSA-jpm7-f59c-mp54 and the patch commit.
Workarounds
- Implement network-level access controls to restrict WebGUI access to trusted management networks only
- Deploy a Web Application Firewall (WAF) in front of the OPNsense WebGUI to filter malicious input patterns
- Consider disabling LDAP authentication temporarily and using local OPNsense accounts until the patch can be applied
- If LDAP authentication must remain active, implement additional monitoring and alerting on authentication events
# Configuration example
# Restrict WebGUI access to trusted management network via firewall rule
# In OPNsense: Firewall > Rules > WAN (or appropriate interface)
# Create a rule blocking access to the WebGUI port (443) from untrusted networks
# Example: Update OPNsense via console or SSH
opnsense-update -f
opnsense-version -v # Verify version is 26.1.6 or higher
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
