CVE-2026-35517
Remote Code Execution in Pi-hole FTL via DNS Upstreams Injection
Publication date: 2026-04-07
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | ftldns | From 6.0 (inc) to 6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35517 is a Remote Code Execution (RCE) vulnerability in the Pi-hole FTL engine versions 6.0 to before 6.6. It arises from improper input validation in the dns.upstreams configuration parameter, which specifies upstream DNS servers.
An authenticated attacker can inject arbitrary dnsmasq configuration directives by including newline characters in the dns.upstreams parameter. This happens because the input validation function always returns true without actual checks, allowing malicious input to be written directly into the dnsmasq configuration file.
By injecting specially crafted directives, such as leasefile-ro and dhcp-script, the attacker can execute arbitrary shell commands on the underlying system when the DNS service restarts, effectively gaining remote code execution.
Exploitation requires an authenticated user to send a PATCH request to the Pi-hole API with the malicious payload, after which restarting the DNS service triggers the command execution.
How can this vulnerability impact me? :
This vulnerability can lead to full system compromise by allowing an attacker to execute arbitrary commands on the Pi-hole server.
- Installation of backdoors on the affected system.
- Exfiltration of sensitive data such as DNS logs and network configurations.
- Lateral movement within the network, potentially compromising other systems.
- DNS hijacking, which can redirect network traffic maliciously.
- Widespread network disruption in enterprise environments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Pi-hole FTL engine version is between 6.0 and before 6.6, as these versions are vulnerable.
Detection involves verifying if the dns.upstreams configuration parameter contains injected newline characters or suspicious dnsmasq directives such as leasefile-ro or dhcp-script.
You can inspect the dnsmasq configuration file generated by Pi-hole FTL for unexpected entries that could indicate exploitation.
Since exploitation requires an authenticated PATCH request to the /api/config endpoint, reviewing API logs for unusual PATCH requests modifying dns.upstreams can help detect attempts.
Suggested commands include:
- Check Pi-hole FTL version: `pihole-FTL -v`
- Inspect dnsmasq config file for injected directives (example path `/etc/dnsmasq.d/01-pihole.conf`): `grep -E 'leasefile-ro|dhcp-script' /etc/dnsmasq.d/01-pihole.conf`
- Review recent API PATCH requests modifying dns.upstreams in Pi-hole logs or web server logs.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Pi-hole FTL engine to version 6.6 or later, where this vulnerability is fixed.
Until the upgrade can be applied, restrict access to the Pi-hole API to trusted and authenticated users only, as exploitation requires authentication.
Monitor and audit any changes to the dns.upstreams configuration parameter to detect and prevent injection attempts.
Avoid restarting the DNS service until the vulnerability is patched, as restarting triggers execution of injected commands.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to achieve remote code execution on the underlying system, potentially leading to full system compromise, installation of backdoors, data exfiltration including DNS logs and network configurations, lateral movement within networks, and widespread network disruption.
Such impacts can result in unauthorized access to sensitive data and disruption of services, which may violate compliance requirements under common standards and regulations like GDPR and HIPAA that mandate protection of personal and health information, system integrity, and availability.
Therefore, if exploited, this vulnerability could lead to non-compliance with these regulations due to potential data breaches, loss of confidentiality, integrity, and availability of critical systems and data.