CVE-2026-35519
Remote Code Execution in Pi-hole FTL via dns.hostRecord Injection
Publication date: 2026-04-07
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | ftldns | From 6.0 (inc) to 6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to execute arbitrary system commands with elevated privileges on the Pi-hole server, potentially leading to full system compromise.
Such a compromise can result in unauthorized access to sensitive data, including DNS logs and network configurations, which may contain personal or confidential information.
Exposure or exfiltration of this data could violate data protection regulations such as GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Additionally, disruption of DNS infrastructure and potential lateral movement within networks could further impact the integrity and availability of systems, which are also critical aspects of compliance frameworks.
Can you explain this vulnerability to me?
CVE-2026-35519 is a Remote Code Execution (RCE) vulnerability in the Pi-hole FTL engine versions 6.0 to before 6.6. It arises from improper input validation in the dns.hostRecord configuration parameter, which is used to define custom DNS host records via the Pi-hole API.
The vulnerability occurs because the dns.hostRecord value is written directly into the dnsmasq configuration file without sanitizing newline characters. This allows an authenticated attacker to inject arbitrary dnsmasq configuration directives, including malicious commands.
Specifically, an attacker can inject newline characters followed by directives like leasefile-ro and dhcp-script, which cause dnsmasq to execute arbitrary shell commands, such as opening a reverse shell to the attacker.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with access to the Pi-hole administrative interface to execute arbitrary system commands with elevated privileges on the underlying system.
- Full system compromise, including installing backdoors.
- Exfiltration of sensitive data such as DNS logs and network configurations.
- Lateral movement within the network.
- DNS hijacking and disruption of DNS infrastructure.
The vulnerability has a high severity rating with a CVSS v3 score of 8.8, indicating a high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Pi-hole FTL engine version is between 6.0 and before 6.6, as these versions are vulnerable.
Detection involves verifying if unauthorized or suspicious dns.hostRecord configuration entries have been injected, especially those containing newline characters or dnsmasq directives such as leasefile-ro or dhcp-script.
You can inspect the dnsmasq configuration file used by Pi-hole FTL for unexpected entries by running commands like:
- sudo cat /etc/dnsmasq.d/01-pihole.conf | grep -E 'leasefile-ro|dhcp-script'
- sudo systemctl status pihole-FTL.service
- Check Pi-hole API logs or configuration via API calls to see if suspicious PATCH requests have been made to /api/config with dns.hostRecord parameters containing newline characters.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Pi-hole FTL engine to version 6.6 or later, where this vulnerability is fixed.
Until the upgrade can be performed, restrict access to the Pi-hole administrative interface to trusted users only, as the vulnerability requires authentication.
Monitor and audit the dns.hostRecord configuration parameters for any suspicious entries containing newline characters or injected dnsmasq directives.
Restart the DNS service after remediation to ensure no malicious configuration is loaded.