CVE-2026-35518
Remote Code Execution in Pi-hole FTL via DNS CNAME Injection
Publication date: 2026-04-07
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | ftldns | From 6.0 (inc) to 6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-35518 is a Remote Code Execution (RCE) vulnerability in the Pi-hole FTL engine versions 6.0 to before 6.6. It arises from improper input validation in the dns.cnameRecords configuration parameter, which allows an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters.
The vulnerability occurs because the Pi-hole API accepts custom DNS CNAME records that are written directly to the dnsmasq configuration file without properly sanitizing newline characters. This enables an attacker to inject additional malicious dnsmasq directives, such as leasefile-ro and dhcp-script, which can be exploited to execute shell commands on the underlying system.
An attacker can exploit this by sending a specially crafted PATCH request to the /api/config endpoint with malicious cnameRecords containing newline-separated directives. After restarting the DNS service, the injected commands execute, granting the attacker arbitrary code execution with elevated privileges.
How can this vulnerability impact me? :
This vulnerability allows authenticated attackers with access to the Pi-hole admin interface to execute arbitrary system commands with elevated privileges on the underlying system.
- Installation of backdoors on the affected system.
- Exfiltration of sensitive data such as DNS logs and network configuration.
- Lateral movement within the network, potentially compromising other systems.
- DNS hijacking and network disruption, affecting availability and integrity of network services.
The impact is particularly severe in enterprise environments where Pi-hole serves as a primary DNS resolver.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Pi-hole FTL engine version is between 6.0 and before 6.6, as these versions are vulnerable.
To detect exploitation attempts or presence of malicious configuration, you can inspect the dns.cnameRecords parameter for suspicious newline characters or injected dnsmasq directives.
Commands to help detect this include:
- Check Pi-hole FTL version: `pihole-FTL version` or check installed package version.
- Inspect the dnsmasq configuration file for injected directives: `grep -P '\n' /etc/dnsmasq.d/*` or `grep -E 'leasefile-ro|dhcp-script' /etc/dnsmasq.d/*`
- Review Pi-hole API logs or web interface logs for suspicious PATCH requests to `/api/config` containing unusual cnameRecords entries.
- Monitor running processes or network connections for unexpected shells or reverse shells that might indicate exploitation.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Pi-hole FTL engine to version 6.6 or later, where this vulnerability is fixed.
Additionally, restrict access to the Pi-hole admin interface to trusted users only, as exploitation requires authentication.
As a temporary measure, monitor and audit the dns.cnameRecords configuration parameter for suspicious entries and avoid applying untrusted CNAME records.
Restart the DNS service after applying patches or configuration changes to ensure no malicious configuration is loaded.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers to execute arbitrary system commands with elevated privileges on the Pi-hole server, potentially leading to installation of backdoors, data exfiltration including DNS logs and network configuration, lateral movement, DNS hijacking, and network disruption.
Such impacts can compromise the confidentiality, integrity, and availability of sensitive data and systems, which may lead to non-compliance with common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.
Organizations using vulnerable versions of Pi-hole FTL could face risks related to unauthorized access and data breaches, which are critical compliance concerns under these regulations.