CVE-2026-34578
LDAP Injection in OPNsense Allows User Enumeration and Bypass
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opnsense | opnsense | to 26.1.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated attackers to enumerate valid LDAP usernames by injecting LDAP filter metacharacters into the login username field, revealing sensitive user identity information.
Additionally, it enables attackers with valid credentials but outside restricted groups to bypass group membership restrictions, potentially granting unauthorized access to protected resources.
Such unauthorized disclosure of user identities and unauthorized access could lead to violations of data protection regulations like GDPR and HIPAA, which mandate strict controls on personal data confidentiality and access.
Therefore, this vulnerability poses a risk to compliance with these standards by compromising confidentiality and access control mechanisms.
Can you explain this vulnerability to me?
This vulnerability in OPNsense's LDAP authentication connector occurs because the login username from the WebGUI login page is directly inserted into an LDAP search filter without proper escaping. This allows an unauthenticated attacker to inject LDAP filter metacharacters into the username field.
There are two main attack methods: first, an attacker can enumerate valid LDAP usernames by injecting wildcard characters into the username field and observing timing differences in LDAP responses. Second, if the LDAP server restricts login to members of a specific group using an Extended Query, an attacker who knows a valid user's password but who is not in the group can manipulate the LDAP filter to bypass this group membership restriction and authenticate successfully.
The vulnerability is due to missing use of ldap_escape() on the username before including it in the LDAP filter, allowing LDAP injection. It was fixed in OPNsense version 26.1.6 by properly escaping special LDAP characters in the username.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing unauthenticated attackers to enumerate all valid LDAP usernames in your directory, revealing sensitive user information.
Additionally, attackers who know the password of a valid LDAP user but who are not members of a restricted group can bypass group membership restrictions and authenticate as that user, potentially gaining unauthorized access to OPNsense services such as the WebGUI, Captive Portal, and VPN.
The vulnerability has a high severity score (CVSS 8.2) and can lead to confidentiality breaches and integrity issues related to access control.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting LDAP injection attacks against the OPNsense WebGUI login page's username field. Specifically, an attacker can inject LDAP wildcard characters (e.g., admin*) into the username field and observe timing differences in LDAP connection attempts to enumerate valid usernames.
A practical detection method involves sending crafted login requests with usernames containing LDAP filter metacharacters and measuring response times or LDAP server responses to identify valid usernames.
For example, using curl or similar tools to send POST requests to the WebGUI login endpoint with payloads like 'admin*' or 'targetuser)(|(uid=targetuser' in the username field can help detect the vulnerability by observing authentication behavior or timing differences.
- Use curl to send a login POST request with a wildcard username: curl -X POST -d 'usernamefld=admin*' -d 'passwordfld=any' https://<opnsense-ip>/login
- Perform binary search style username enumeration by varying the prefix in the username field (e.g., a*, ad*, adm*) and measuring response times or LDAP connection counts.
- Attempt to bypass group membership restrictions by injecting crafted usernames such as 'targetuser)(|(uid=targetuser' and testing authentication with known passwords.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OPNsense to version 26.1.6 or later, where the vulnerability is fixed by properly escaping LDAP usernames using ldap_escape() before including them in LDAP search filters.
If upgrading immediately is not possible, consider restricting network access to the OPNsense WebGUI login page to trusted IPs only, reducing exposure to unauthenticated attackers.
Additionally, monitor LDAP authentication logs for unusual login attempts with suspicious usernames containing LDAP metacharacters.