CVE-2026-35521
Remote Code Execution in Pi-hole FTL via DHCP Hosts Injection
Publication date: 2026-04-07
Last updated on: 2026-04-28
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | ftldns | From 6.0 (inc) to 6.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-93 | The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows authenticated attackers to execute arbitrary system commands, potentially leading to full system compromise including exfiltration of sensitive data such as DNS logs and network configurations.
Such unauthorized access and data exfiltration could result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information.
Therefore, exploitation of this vulnerability may lead to non-compliance with these standards due to breaches of confidentiality, integrity, and availability of protected data.
Can you explain this vulnerability to me?
CVE-2026-35521 is a Remote Code Execution (RCE) vulnerability in the Pi-hole FTL engine versions 6.0 to before 6.6. It arises from improper input validation in the DHCP hosts configuration parameter (dhcp.hosts), which is used to define static DHCP host reservations via the Pi-hole API.
The vulnerability allows an authenticated attacker to inject arbitrary dnsmasq configuration directives by including newline characters in the dhcp.hosts parameter. These injected directives can include malicious commands that get executed on the underlying system.
Technically, the dhcp.hosts entries are written directly to the dnsmasq configuration file without sanitization, and the dnsmasq service executes certain directives (like dhcp-script) via a shell, enabling command execution.
Exploitation requires an authenticated user to send a specially crafted PATCH request to the Pi-hole API, injecting malicious configuration entries and then restarting the DNS resolver to trigger execution.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to execute arbitrary system commands with the privileges of the Pi-hole service, which are typically elevated.
The impact includes full system compromise, such as installing backdoors, exfiltrating sensitive data like DNS logs and network configurations, moving laterally within the network, and disrupting DNS infrastructure.
In enterprise environments where Pi-hole acts as a primary DNS resolver, exploitation could lead to widespread network compromise.
The vulnerability is rated high severity with a CVSS v3 score of 8.8, indicating serious confidentiality, integrity, and availability impacts.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Pi-hole FTL engine version is between 6.0 and before 6.6, as these versions contain the Remote Code Execution flaw in the DHCP hosts configuration parameter.
Detection involves verifying if the DHCP hosts configuration parameter (`dhcp.hosts`) contains any injected newline characters or suspicious dnsmasq directives such as `leasefile-ro` or `dhcp-script` entries that could indicate exploitation attempts.
You can inspect the Pi-hole configuration files and API usage logs for unusual PATCH requests to `/api/config` that modify `dhcp.hosts` with suspicious payloads.
- Check Pi-hole FTL version: `pihole-FTL version` or via Pi-hole admin interface.
- Inspect DHCP hosts configuration for injected newline characters or suspicious directives in the dnsmasq config file, typically located at `/etc/dnsmasq.d/`.
- Review API access logs for PATCH requests to `/api/config` with payloads modifying `dhcp.hosts`.
- Use commands like `grep -P '\n' /etc/dnsmasq.d/*` to find newline injections in dnsmasq config files.
- Monitor running processes or network connections for suspicious activity related to Pi-hole service.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade the Pi-hole FTL engine to version 6.6 or later, where this vulnerability has been fixed.
Until the upgrade can be applied, restrict access to the Pi-hole administrative API to trusted users only, as exploitation requires authenticated access.
Avoid using or modifying the `dhcp.hosts` configuration parameter via the API or manually to prevent injection of malicious directives.
Monitor and audit API usage and configuration changes closely to detect any unauthorized or suspicious activity.
- Upgrade Pi-hole FTL to version 6.6 or later.
- Restrict and monitor access to the Pi-hole administrative API.
- Avoid modifying `dhcp.hosts` configuration until patched.
- Audit API logs and configuration files for suspicious changes.