Main Vulnerability Database Vulnerabilities #VU125579

LDAP injection in OPNsense - CVE-2026-34578

Published: April 9, 2026

Vulnerability identifier: #VU125579

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-34578

CWE-ID: CWE-90

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Deciso

Affected software:
OPNsense

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information and bypass group-based access restrictions.

The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the LDAP authentication connector searchUsers() method when processing the username field supplied to the WebGUI login page. A remote attacker can inject LDAP filter metacharacters into the username field to disclose sensitive information and bypass group-based access restrictions.

Enumeration can be performed without credentials, while bypassing the extended query group restriction requires knowledge of a valid LDAP user's password and only applies when an Extended Query is configured to restrict logins by group membership.

How to mitigate CVE-2026-34578

Install security update from vendor's website.

LDAP injection in OPNsense - CVE-2026-34578

Detailed vulnerability description

How to mitigate CVE-2026-34578

Sources

Please verify you're human