CVE-2026-35519: Pi-hole FTL DNS RCE Vulnerability

CVE-2026-35519 Overview

A remote code execution vulnerability has been identified in FTLDNS (pihole-FTL), the core component that provides an interactive API and generates statistics for Pi-hole's Web interface. This command injection vulnerability (CWE-78) affects versions 6.0 to before 6.6 of the Pi-hole FTL engine and allows authenticated attackers to execute arbitrary commands on the underlying system through malicious DNS host record configurations.

Critical Impact

Authenticated attackers can achieve full system compromise by injecting arbitrary dnsmasq configuration directives through newline characters in the dns.hostRecord parameter, leading to remote code execution on the Pi-hole server.

Affected Products

• Pi-hole FTL (FTLDNS) versions 6.0 to before 6.6

Discovery Timeline

• 2026-04-07 - CVE CVE-2026-35519 published to NVD
• 2026-04-09 - Last updated in NVD database

Technical Details for CVE-2026-35519

Vulnerability Analysis

The vulnerability exists in the DNS host record configuration parameter (dns.hostRecord) within the Pi-hole FTL engine. The FTL component serves as the backbone of Pi-hole, handling DNS queries and providing the API that powers the web interface. Due to insufficient input validation on the dns.hostRecord parameter, the system fails to properly sanitize user-supplied input before passing it to the underlying dnsmasq configuration.

An authenticated user with access to the Pi-hole administrative interface can exploit this flaw by crafting a specially formed host record that includes newline characters. These newline characters allow the attacker to break out of the intended configuration context and inject arbitrary dnsmasq directives. Dnsmasq supports configuration options that can execute external scripts or commands, making this injection point a viable path to remote code execution.

Root Cause

The root cause of this vulnerability is improper input validation (CWE-78 - Improper Neutralization of Special Elements used in an OS Command). The dns.hostRecord configuration parameter does not adequately filter or escape newline characters (\n) and other control characters before incorporating user input into the dnsmasq configuration file. This allows attackers to inject additional configuration directives that dnsmasq interprets as legitimate instructions.

Attack Vector

The attack requires network access and low-privilege authentication to the Pi-hole administrative interface. An attacker who has obtained valid credentials—either through credential theft, default password exploitation, or legitimate access—can navigate to the DNS configuration settings and input a malicious host record containing embedded newline characters followed by arbitrary dnsmasq directives.

The injection technique leverages dnsmasq's support for directive chaining and external command execution capabilities. By carefully constructing the payload, an attacker can instruct dnsmasq to execute shell commands with the privileges of the dnsmasq process, which often runs as root or with elevated privileges on the system.

For detailed technical information and proof-of-concept details, refer to the GitHub Security Advisory.

Detection Methods for CVE-2026-35519

Indicators of Compromise

• Unusual entries in dnsmasq configuration files containing newline sequences or unexpected directives
• Suspicious modification timestamps on /etc/dnsmasq.conf or Pi-hole configuration directories
• Unexpected processes spawned as child processes of dnsmasq or pihole-FTL
• Anomalous network connections originating from the Pi-hole server
• Authentication logs showing access to DNS configuration endpoints followed by system-level activity

Detection Strategies

• Monitor Pi-hole administrative interface logs for modifications to the dns.hostRecord parameter, especially entries containing encoded newline characters or escape sequences
• Implement file integrity monitoring on dnsmasq and Pi-hole configuration files to detect unauthorized modifications
• Review process execution logs for unexpected commands executed by the dnsmasq or pihole-FTL user accounts
• Deploy network-based detection for unusual outbound connections from Pi-hole servers

Monitoring Recommendations

• Enable verbose logging for Pi-hole FTL API access and configuration changes
• Implement SIEM alerting for configuration file modifications on Pi-hole systems
• Monitor for privilege escalation attempts or lateral movement originating from Pi-hole hosts
• Regularly audit administrative user accounts and access patterns on Pi-hole installations

How to Mitigate CVE-2026-35519

Immediate Actions Required

• Upgrade Pi-hole FTL to version 6.6 or later immediately to remediate this vulnerability
• Audit all DNS host record configurations for suspicious entries containing newline characters or unexpected directives
• Review administrative access logs to identify any potential exploitation attempts
• Restrict network access to the Pi-hole administrative interface to trusted networks or IP addresses
• Ensure strong, unique credentials are used for all Pi-hole administrative accounts

Patch Information

This vulnerability is fixed in Pi-hole FTL version 6.6. Users should update their Pi-hole installations through the standard update mechanism or by manually upgrading the FTL component. For additional patch details and release notes, consult the GitHub Security Advisory.

Workarounds

• Implement network segmentation to restrict access to the Pi-hole administrative interface from untrusted networks
• Use a reverse proxy with authentication to add an additional layer of access control before the Pi-hole web interface
• Temporarily disable API access or restrict administrative functionality while awaiting patch deployment
• Monitor and audit all configuration changes through external logging and file integrity monitoring solutions

# Example: Restrict administrative interface access via iptables
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP