CVE-2026-35521 Overview
A Remote Code Execution (RCE) vulnerability exists in FTLDNS (pihole-FTL), the core engine that provides an interactive API and generates statistics for Pi-hole's Web interface. The vulnerability resides in the DHCP hosts configuration parameter (dhcp.hosts) and allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline character injection, ultimately achieving command execution on the underlying system.
Critical Impact
Authenticated attackers can achieve full system compromise through command injection in DHCP configuration parameters, potentially leading to complete control of the Pi-hole server and network infrastructure.
Affected Products
- Pi-hole FTL versions 6.0 through 6.5
- FTLDNS (pihole-FTL) with DHCP functionality enabled
- Pi-hole deployments using the Web interface API
Discovery Timeline
- 2026-04-07 - CVE-2026-35521 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35521
Vulnerability Analysis
This vulnerability is classified as CWE-78 (OS Command Injection) and affects the Pi-hole FTL engine's handling of DHCP host configuration. The flaw exists in how the dhcp.hosts parameter processes user-supplied input without adequate sanitization for newline characters. When an authenticated user modifies DHCP host entries through the Pi-hole API or Web interface, the input is written to the dnsmasq configuration file. By injecting newline characters (\n), an attacker can break out of the intended configuration context and insert arbitrary dnsmasq directives, including those that execute system commands.
The vulnerability requires authentication, meaning an attacker must have valid credentials to access the Pi-hole administrative interface. However, once authenticated, exploitation is straightforward and does not require any user interaction. The impact is severe as successful exploitation grants the attacker the ability to execute arbitrary commands with the privileges of the Pi-hole FTL process, typically running as root on most installations.
Root Cause
The root cause is insufficient input validation in the DHCP hosts configuration handler. The dhcp.hosts parameter accepts user input that is subsequently written to the dnsmasq configuration file without properly sanitizing or escaping newline characters. This allows attackers to inject additional configuration lines that dnsmasq will interpret as legitimate directives.
Dnsmasq supports several configuration options that can execute external commands, such as the dhcp-script directive. By injecting a newline followed by a malicious dhcp-script entry, an attacker can cause arbitrary command execution when DHCP events occur.
Attack Vector
The attack is network-based and requires low complexity to execute. An authenticated attacker with access to the Pi-hole Web interface or API can craft a malicious DHCP host entry containing newline characters followed by command execution directives.
The exploitation flow involves:
- Authenticating to the Pi-hole Web interface or API with valid credentials
- Navigating to the DHCP settings or using the API endpoint for DHCP host configuration
- Injecting a payload containing newline characters and malicious dnsmasq directives into the dhcp.hosts parameter
- Triggering a DHCP event or configuration reload to execute the injected commands
The injected payload typically leverages dnsmasq's dhcp-script functionality to execute arbitrary shell commands when DHCP lease events occur. For detailed technical information about the exploitation mechanism, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-35521
Indicators of Compromise
- Unexpected modifications to dnsmasq configuration files, particularly those containing dhcp-script or similar command execution directives
- Unusual DHCP host entries containing newline characters or encoded escape sequences
- Suspicious processes spawned as children of the pihole-FTL or dnsmasq processes
- Anomalous outbound network connections from the Pi-hole server
- Unexpected script files created in system directories
Detection Strategies
- Monitor Pi-hole configuration files for unauthorized changes, especially /etc/dnsmasq.d/ directory contents
- Implement file integrity monitoring on dnsmasq and Pi-hole configuration files
- Review Pi-hole API access logs for unusual DHCP configuration modification requests
- Deploy endpoint detection solutions to identify suspicious command execution patterns from the FTL process
- Analyze authentication logs for brute-force attempts or unauthorized access to the Pi-hole interface
Monitoring Recommendations
- Enable detailed logging for Pi-hole API requests and configuration changes
- Configure alerts for any modifications to DHCP-related configuration parameters
- Monitor process creation events for unexpected child processes of pihole-FTL
- Implement network traffic analysis to detect unusual outbound connections from Pi-hole servers
- Set up baseline behavior monitoring for the Pi-hole server to detect anomalous activity
How to Mitigate CVE-2026-35521
Immediate Actions Required
- Upgrade Pi-hole FTL to version 6.6 or later immediately
- Review existing DHCP host configurations for any suspicious entries containing newline characters or unexpected directives
- Audit Pi-hole access logs for signs of exploitation attempts
- Restrict network access to the Pi-hole administrative interface to trusted IP addresses only
- Review and rotate administrative credentials if compromise is suspected
Patch Information
The vulnerability has been addressed in Pi-hole FTL version 6.6. The fix implements proper input sanitization for the dhcp.hosts parameter, preventing newline injection attacks. Users should update their Pi-hole installation using the standard update mechanism or by manually updating the FTL component. For complete details on the fix and affected versions, see the GitHub Security Advisory.
Workarounds
- Disable DHCP functionality in Pi-hole if not required for your deployment until the patch can be applied
- Implement strict firewall rules to limit access to the Pi-hole Web interface and API to trusted management networks only
- Enable two-factor authentication or additional access controls on the Pi-hole administrative interface if supported
- Consider deploying a Web Application Firewall (WAF) in front of the Pi-hole interface to filter malicious input patterns
- Monitor and audit all DHCP configuration changes manually until the update is applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
