CVE-2026-34578
Published: 09 April 2026
Summary
CVE-2026-34578 is a high-severity LDAP Injection (CWE-90) vulnerability in Opnsense Opnsense. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 IA-6 (Authentication Feedback) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of username inputs to LDAP search filters, preventing injection of metacharacters as seen in this CVE.
Mandates timely remediation of the specific LDAP injection flaw fixed in OPNsense 26.1.6 via patching.
Obscures authentication feedback to prevent enumeration of valid LDAP usernames through observable responses to injected filters.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables exploitation of a public-facing web application (T1190) via LDAP injection on the WebGUI login, allowing unauthenticated remote username enumeration (T1087.002) and bypass of group restrictions for authentication.
NVD Description
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username…
more
field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.
Deeper analysisAI
CVE-2026-34578 is an LDAP injection vulnerability in OPNsense, a FreeBSD-based firewall and routing platform. Prior to version 26.1.6, the LDAP authentication connector passes the login username directly into an LDAP search filter without proper escaping via ldap_escape(), enabling injection of LDAP filter metacharacters. This flaw affects the WebGUI login page when LDAP authentication is configured and is classified under CWE-90 with a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
An unauthenticated remote attacker can exploit this vulnerability by submitting specially crafted input in the username field during login attempts. This allows enumeration of valid LDAP usernames in the configured directory by observing LDAP server responses. Additionally, if the LDAP configuration includes an Extended Query restricting logins to members of a specific group, the injection can bypass this restriction, enabling authentication as any LDAP user whose password is known, irrespective of group membership.
The vulnerability is addressed in OPNsense 26.1.6, where the fix involves proper escaping of the username in the LDAP search filter, as detailed in the commit at https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e and the GitHub Security Advisory at https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54. Security practitioners should upgrade to 26.1.6 or later and review LDAP configurations for exposure.
Details
- CWE(s)