The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-39849

CVE-2026-39849: Pi-hole FTL RCE Vulnerability

CVE-2026-39849 is a remote code execution vulnerability in Pi-hole FTL that enables attackers to inject malicious configuration directives. This article covers the technical details, affected versions, and mitigation strategies.

Published: May 7, 2026

CVE-2026-39849 Overview

CVE-2026-39849 is a CRLF/newline injection vulnerability [CWE-93] in Pi-hole FTL, the core engine of the Pi-hole network-level advertisement and tracker blocker. The dns.interface configuration field accepts newline characters without validation, allowing an attacker to inject arbitrary directives into the generated dnsmasq configuration file. On installations with no admin password set, which is the default for many deployments, the configuration API is fully accessible without credentials. A network-adjacent attacker can inject a payload, enable the built-in DHCP server, and achieve arbitrary command execution on the host the next time any device requests a DHCP lease. The issue is fixed in version 6.6.1.

Critical Impact

A network-adjacent attacker can achieve arbitrary command execution on Pi-hole FTL hosts running default configurations without authentication, with the malicious directives persisting across restarts.

Affected Products

  • Pi-hole FTL versions before 6.6.1
  • Pi-hole deployments with no admin password configured (default)
  • Pi-hole installations exposing the configuration API to local network clients

Discovery Timeline

  • 2026-05-05 - CVE-2026-39849 published to NVD
  • 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2026-39849

Vulnerability Analysis

The vulnerability stems from improper neutralization of CRLF sequences [CWE-93] in the dns.interface configuration field. Pi-hole FTL persists this field to /etc/pihole/pihole.toml and renders it into a dnsmasq configuration file. Because newline characters are accepted unchanged, an attacker can append arbitrary dnsmasq directives by submitting a value like wlan0\ndhcp-script=/tmp/p. The strncpy in the code path limits the interface field to 31 bytes, but the example payload fits within that constraint. The dnsmasq configuration validation introduced in FTL 6.6 only checks syntactic validity, so injected directives pass validation successfully.

Root Cause

The configuration validator assigned to conf->dns.interface.c was validate_stub, which performed type-based and dnsmasq syntax checks but did not reject embedded newlines. Once the field was written to the TOML file and re-emitted into the dnsmasq configuration, each newline became a directive boundary, allowing attacker-controlled options such as dhcp-script to be honored by dnsmasq.

Attack Vector

The attack requires network access to the Pi-hole FTL configuration API. With no admin password set, the attacker submits a crafted dns.interface value containing a newline followed by dhcp-script=/path/to/binary. The attacker then enables the built-in DHCP server through the same unauthenticated API. When any device on the network requests a DHCP lease, dnsmasq invokes the attacker-specified script as the FTL service user, yielding arbitrary command execution. The injected configuration is persisted and survives service restarts.

c
 	conf->dns.interface.t = CONF_STRING;
 	conf->dns.interface.f = FLAG_RESTART_FTL;
 	conf->dns.interface.d.s = (char*)"";
-	conf->dns.interface.c = validate_stub; // Type-based checking + dnsmasq syntax checking
+	conf->dns.interface.c = validate_str_no_newline;
 	
 	conf->dns.hostRecord.k = "dns.hostRecord";

Source: GitHub Commit 0c46e4ec — the patch replaces validate_stub with validate_str_no_newline, rejecting any dns.interface value containing a newline before it reaches the configuration writer.

Detection Methods for CVE-2026-39849

Indicators of Compromise

  • Unexpected dhcp-script, dhcp-option, or other DHCP directives present in /etc/pihole/pihole.toml or the rendered dnsmasq configuration.
  • The Pi-hole built-in DHCP server enabled on a deployment that historically used an upstream DHCP server.
  • New executables in writable paths such as /tmp/ referenced by dhcp-script directives.
  • Unexplained child processes spawned by the pihole-FTL or dnsmasq process around DHCP lease events.

Detection Strategies

  • Inspect /etc/pihole/pihole.toml for embedded newline characters or unexpected directives appearing inside the dns.interface value.
  • Compare the generated dnsmasq configuration against a known-good template; any directive outside interface= for the configured interface warrants investigation.
  • Audit configuration API access logs for unauthenticated PATCH/PUT requests targeting the dns.interface key.

Monitoring Recommendations

  • Alert on process creations where the parent is dnsmasq or pihole-FTL and the child is a shell or interpreter.
  • Monitor write events to /etc/pihole/pihole.toml and the active dnsmasq configuration directory.
  • Track changes to DHCP server state on Pi-hole hosts and correlate with configuration API activity.

How to Mitigate CVE-2026-39849

Immediate Actions Required

  • Upgrade Pi-hole FTL to version 6.6.1 or later, which replaces validate_stub with validate_str_no_newline for the dns.interface field.
  • Set a strong admin password on every Pi-hole deployment to require authentication for configuration API calls.
  • Restrict network exposure of the Pi-hole web and API interfaces to trusted management segments only.
  • Review /etc/pihole/pihole.toml for injected directives and revert any unauthorized changes before restarting the service.

Patch Information

The fix is delivered in Pi-hole FTL release v6.6.1. The validator change is documented in GitHub Security Advisory GHSA-9cqv-839p-gpq2 and implemented in commit 0c46e4ec.

Workarounds

  • Configure an admin password so the configuration API rejects unauthenticated writes until the patched version is deployed.
  • Block access to the Pi-hole web interface and API from untrusted VLANs using host or network firewall rules.
  • Disable the built-in Pi-hole DHCP server if not required, reducing the impact of dhcp-script directive injection.
  • Run Pi-hole FTL with file integrity monitoring on /etc/pihole/pihole.toml to detect tampering between scheduled patch windows.
bash
# Verify installed FTL version and upgrade
pihole -v
pihole -up

# Set an admin password to require authenticated config API access
pihole -a -p

# Inspect the persisted configuration for injected newlines or DHCP directives
grep -nE 'interface|dhcp-script|dhcp-option' /etc/pihole/pihole.toml

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechPi Hole
  • SeverityHIGH
  • CVSS Score8.7
  • EPSS Probability0.09%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-93
  • Technical References
  • GitHub Commit Details
  • GitHub Release v6.6.1
  • GitHub Security Advisory GHSA-9cqv-839p-gpq2
  • Related CVEs
  • CVE-2026-35519: Pi-hole FTL DNS RCE Vulnerability
  • CVE-2026-33765: Pi-hole Admin Interface RCE Vulnerability
  • CVE-2020-8816: Pi-hole Web AdminLTE RCE Vulnerability
  • CVE-2026-33405: Pi-hole Web Interface XSS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English