CVE-2026-35520 Overview
CVE-2026-35520 is a Remote Code Execution (RCE) vulnerability affecting FTLDNS (pihole-FTL), the core engine that provides an interactive API and generates statistics for Pi-hole's Web interface. This vulnerability exists in the DHCP lease time configuration parameter (dhcp.leaseTime) and allows authenticated attackers to inject arbitrary dnsmasq configuration directives through newline character injection, ultimately achieving command execution on the underlying system.
The vulnerability affects Pi-hole FTL versions from 6.0 to before 6.6, where inadequate input sanitization in the DHCP configuration handling enables attackers with authenticated access to the Pi-hole administrative interface to compromise the host system.
Critical Impact
Authenticated attackers can achieve full system compromise through command injection in the DHCP lease time parameter, potentially leading to complete takeover of the Pi-hole server and network-wide DNS manipulation.
Affected Products
- Pi-hole FTL (FTLDNS) versions 6.0 to 6.5.x
- Pi-hole deployments with DHCP server functionality enabled
- Systems running vulnerable versions of the pihole-FTL engine
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35520 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-35520
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw resides in how the Pi-hole FTL engine processes the dhcp.leaseTime configuration parameter without properly sanitizing newline characters and special dnsmasq directives.
When an authenticated user modifies DHCP settings through the Pi-hole API or web interface, the lease time value is incorporated into the dnsmasq configuration. Due to insufficient input validation, an attacker can embed newline characters (\n) followed by arbitrary dnsmasq configuration directives. Since dnsmasq supports the dhcp-script directive, which executes arbitrary scripts when DHCP events occur, attackers can leverage this to achieve code execution with the privileges of the dnsmasq process.
The attack requires authenticated access to the Pi-hole administrative interface, which is typically available on the local network. However, in environments where the Pi-hole admin interface is exposed to untrusted networks or where credentials have been compromised, this vulnerability poses a significant risk.
Root Cause
The root cause of CVE-2026-35520 is the failure to properly sanitize user-supplied input in the dhcp.leaseTime configuration parameter before writing it to the dnsmasq configuration file. The FTL engine did not strip or escape newline characters and other control characters, allowing attackers to break out of the intended configuration context and inject additional dnsmasq directives.
This is a classic command injection pattern where user input flows directly into a configuration file that is subsequently parsed and executed by another system component (dnsmasq), without adequate boundary enforcement.
Attack Vector
The attack is network-accessible and requires low-privilege authenticated access to the Pi-hole administrative interface. An attacker would craft a malicious DHCP lease time value containing embedded newline characters followed by dnsmasq directives such as dhcp-script that point to attacker-controlled commands or scripts.
The exploitation flow involves:
- Authenticating to the Pi-hole administrative interface
- Modifying the DHCP lease time setting with a payload containing newline-injected dnsmasq directives
- Triggering a DHCP event (such as a client lease request) to execute the injected configuration
- Achieving command execution on the target system
The vulnerability does not require user interaction and can be exploited automatically once the malicious configuration is written. For detailed technical information and proof-of-concept details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35520
Indicators of Compromise
- Unusual entries in dnsmasq configuration files containing dhcp-script directives pointing to unexpected executables
- Anomalous modifications to DHCP-related configuration parameters in Pi-hole logs
- Evidence of newline characters or special directives in DHCP lease time configuration values
- Unexpected child processes spawned by the dnsmasq service
Detection Strategies
- Monitor Pi-hole and dnsmasq configuration files for unauthorized modifications, particularly the addition of dhcp-script directives
- Implement file integrity monitoring on /etc/dnsmasq.d/ and related Pi-hole configuration directories
- Analyze Pi-hole API and web interface access logs for suspicious configuration change requests
- Deploy endpoint detection solutions capable of identifying command injection patterns in configuration files
Monitoring Recommendations
- Enable detailed logging for all Pi-hole administrative interface access and configuration changes
- Configure alerts for any modifications to DHCP-related settings in the Pi-hole configuration
- Monitor network traffic to the Pi-hole admin interface for unusual access patterns or authentication attempts
- Implement audit logging for all dnsmasq configuration file modifications
How to Mitigate CVE-2026-35520
Immediate Actions Required
- Upgrade Pi-hole FTL to version 6.6 or later immediately
- Review Pi-hole access logs for any suspicious configuration modification attempts
- Audit current dnsmasq configuration files for any unauthorized dhcp-script or other injected directives
- Restrict network access to the Pi-hole administrative interface to trusted hosts only
Patch Information
The vulnerability is fixed in Pi-hole FTL version 6.6. Organizations should update their Pi-hole installations to this version or later to remediate the vulnerability. The patch implements proper input sanitization for the dhcp.leaseTime parameter, preventing newline injection and ensuring configuration values cannot escape their intended context.
For official patch details and update instructions, see the GitHub Security Advisory.
Workarounds
- Disable the Pi-hole DHCP server functionality if not required and use an alternative DHCP server
- Implement strict network segmentation to prevent untrusted users from accessing the Pi-hole admin interface
- Use a reverse proxy with additional authentication layers to protect the Pi-hole administrative interface
- Monitor and validate all configuration changes before they are applied to the dnsmasq configuration
# Update Pi-hole FTL to the patched version
pihole -up
# Verify the installed FTL version
pihole -v
# Review dnsmasq configuration for suspicious entries
grep -r "dhcp-script" /etc/dnsmasq.d/
# Restrict admin interface access via iptables (example)
iptables -A INPUT -p tcp --dport 80 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
