CVE-2026-35520
Remote Code Execution in Pi-hole FTL via DHCP LeaseTime Injection
Publication date: 2026-04-07
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | ftldns | From 6.0 (inc) to 6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to execute arbitrary system commands with elevated privileges on the Pi-hole server, potentially leading to full system compromise.
Such a compromise can result in unauthorized access to sensitive data, including DNS logs and network configurations, which may contain personal or confidential information.
Exposure or exfiltration of this data could violate data protection regulations such as GDPR or HIPAA, which require safeguarding personal and sensitive information.
Therefore, organizations using vulnerable versions of Pi-hole FTL may face compliance risks if this vulnerability is exploited, especially in environments where Pi-hole serves as a primary DNS resolver.
Can you explain this vulnerability to me?
CVE-2026-35520 is a Remote Code Execution (RCE) vulnerability in the Pi-hole FTL engine versions 6.0 to before 6.6. It arises from improper input validation of the DHCP lease time configuration parameter (dhcp.leaseTime). This parameter is processed and written directly into the dnsmasq configuration file without proper sanitization, allowing an authenticated attacker to inject arbitrary dnsmasq configuration directives through newline characters.
The vulnerability occurs because the validation function for dhcp.leaseTime always returns true without actual validation, permitting malicious input including newline characters. By injecting newline-separated directives such as leasefile-ro and dhcp-script, an attacker can exploit dnsmasq's behavior to execute shell commands on the underlying system.
An attacker sends an authenticated PATCH request to the Pi-hole API with a specially crafted dhcp.leaseTime value containing the malicious payload. Restarting the dnsmasq service then triggers execution of the injected commands, granting the attacker an interactive shell on the system.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker with access to the Pi-hole admin interface to execute arbitrary system commands with elevated privileges.
- Full system compromise, including installing backdoors.
- Exfiltration of sensitive data such as DNS logs and network configurations.
- Lateral movement within the network.
- DNS hijacking and network disruption.
The impact is particularly severe in enterprise environments where Pi-hole acts as a primary DNS resolver.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Pi-hole FTL engine version is between 6.0 and before 6.6, as these versions contain the vulnerable code.
Detection involves verifying if the DHCP lease time configuration parameter (dhcp.leaseTime) has been manipulated to include newline characters or suspicious dnsmasq directives such as 'leasefile-ro' or 'dhcp-script'.
Since the attack requires an authenticated PATCH request to the Pi-hole API endpoint /api/config, monitoring API requests for unusual PATCH operations modifying dhcp.leaseTime can help detect exploitation attempts.
Suggested commands include:
- Check Pi-hole FTL version: `pihole-FTL version` or check installed package version.
- Inspect the dnsmasq configuration file for injected directives: `grep -E 'leasefile-ro|dhcp-script' /etc/dnsmasq.d/*`
- Monitor API logs or web server logs for PATCH requests to `/api/config` modifying dhcp.leaseTime.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Pi-hole FTL engine to version 6.6 or later, where this vulnerability is fixed.
Until the upgrade can be applied, restrict access to the Pi-hole admin interface to trusted users only, as the vulnerability requires authenticated access.
Monitor and audit API usage to detect and block suspicious PATCH requests attempting to modify dhcp.leaseTime.
Consider restarting the dnsmasq service after ensuring no malicious configuration directives are present to prevent execution of injected commands.