CVE-2026-35517 Overview
A Remote Code Execution (RCE) vulnerability has been discovered in FTLDNS (pihole-FTL), the core DNS engine that powers Pi-hole's Web interface and provides an interactive API for DNS statistics. The vulnerability exists in versions 6.0 through 6.5 and allows authenticated attackers to inject arbitrary dnsmasq configuration directives through the upstream DNS servers configuration parameter (dns.upstreams). By exploiting improper input validation, attackers can insert newline characters to inject malicious configuration directives, ultimately achieving command execution on the underlying system.
Critical Impact
Authenticated attackers can achieve full system compromise through command injection in DNS configuration, potentially gaining complete control over the Pi-hole server and network DNS infrastructure.
Affected Products
- FTLDNS (pihole-FTL) versions 6.0 to 6.5
- Pi-hole installations using vulnerable FTL engine versions
- Systems running Pi-hole with authenticated API access enabled
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35517 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35517
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as Command Injection. The Pi-hole FTL engine fails to properly sanitize user-controlled input in the dns.upstreams configuration parameter before passing it to the underlying dnsmasq process.
When an authenticated user modifies upstream DNS server settings through the Pi-hole API, the input is processed without adequate validation of newline characters (\n). This allows an attacker to break out of the intended configuration context and inject arbitrary dnsmasq directives. Since dnsmasq supports configuration options that can execute external commands or scripts, this injection can be leveraged to achieve remote code execution with the privileges of the FTL process.
The vulnerability requires authentication, meaning an attacker must first obtain valid credentials or session access to the Pi-hole administrative interface. However, once authenticated, the path to code execution is straightforward, making this a serious threat to Pi-hole deployments with weak administrative credentials or exposed management interfaces.
Root Cause
The root cause lies in insufficient input validation within the FTL engine's configuration parsing logic. The dns.upstreams parameter accepts upstream DNS server addresses but fails to sanitize special characters, particularly newline sequences. When this input is written to the dnsmasq configuration or passed to dnsmasq through inter-process communication, the injected newlines are interpreted as configuration directive separators, allowing arbitrary directive injection.
Attack Vector
The attack is network-based and requires authenticated access to the Pi-hole API or Web interface. An attacker would craft a malicious DNS upstream server value containing newline characters followed by dnsmasq configuration directives that trigger command execution. The injected directives could leverage dnsmasq features such as dhcp-script or other configuration options that support external command execution.
The attack flow involves:
- Authenticating to the Pi-hole Web interface or API
- Navigating to DNS settings or using the API endpoint for upstream DNS configuration
- Injecting a crafted payload containing newline-separated malicious dnsmasq directives
- Triggering dnsmasq configuration reload to execute the injected commands
For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35517
Indicators of Compromise
- Unusual characters or newline sequences in Pi-hole DNS configuration files
- Unexpected dnsmasq configuration directives appearing in configuration
- Anomalous process execution originating from the FTL or dnsmasq processes
- Suspicious API requests to DNS configuration endpoints containing encoded newline characters
Detection Strategies
- Monitor Pi-hole API access logs for requests to DNS upstream configuration endpoints containing suspicious patterns such as %0a, %0d, or literal newline sequences
- Implement file integrity monitoring on dnsmasq and Pi-hole configuration files to detect unauthorized modifications
- Deploy endpoint detection to identify unexpected child processes spawned by pihole-FTL or dnsmasq services
- Analyze network traffic for unusual DNS configuration API calls with abnormally long or encoded payloads
Monitoring Recommendations
- Enable detailed logging for Pi-hole API authentication attempts and configuration changes
- Configure alerts for any modifications to upstream DNS server settings outside of authorized maintenance windows
- Monitor system process trees for anomalous command execution with pihole-FTL as a parent process
- Review authentication logs for brute-force attempts or unauthorized access to the Pi-hole administrative interface
How to Mitigate CVE-2026-35517
Immediate Actions Required
- Upgrade FTLDNS (pihole-FTL) to version 6.6 or later immediately
- Audit Pi-hole administrative access logs for suspicious DNS configuration changes
- Review and rotate Pi-hole administrative credentials, especially if weak passwords were in use
- Restrict network access to the Pi-hole administrative interface to trusted management networks only
- Enable two-factor authentication if available for Pi-hole administrative access
Patch Information
The vulnerability has been fixed in Pi-hole FTL version 6.6. The patch addresses the input validation weakness by properly sanitizing the dns.upstreams configuration parameter to reject or escape newline characters and other special characters that could be used for configuration injection.
Organizations should update their Pi-hole installations using the standard update mechanism or by downloading the patched FTL binary from the official Pi-hole repositories. For more details on the fix, see the GitHub Security Advisory.
Workarounds
- Restrict API access by implementing firewall rules to limit connectivity to the Pi-hole administrative interface from untrusted networks
- Place the Pi-hole administrative interface behind a VPN or bastion host to reduce exposure
- Implement strong authentication controls and monitor for unauthorized access attempts
- Consider temporarily disabling API access to DNS configuration if immediate patching is not possible
# Restrict Pi-hole admin interface access to local network only
# Add to firewall configuration (example using iptables)
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
