SB2026040955 - LDAP injection in OPNsense

Description

This security bulletin contains information about 1 security vulnerability.

1) LDAP injection (CVE-ID: CVE-2026-34578)

The vulnerability allows a remote attacker to disclose sensitive information and bypass group-based access restrictions.

The vulnerability exists due to improper neutralization of special elements used in an LDAP query in the LDAP authentication connector searchUsers() method when processing the username field supplied to the WebGUI login page. A remote attacker can inject LDAP filter metacharacters into the username field to disclose sensitive information and bypass group-based access restrictions.

Enumeration can be performed without credentials, while bypassing the extended query group restriction requires knowledge of a valid LDAP user's password and only applies when an Extended Query is configured to restrict logins by group membership.

Remediation

Install update from vendor's website.

References

• https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54
• https://github.com/advisories/GHSA-jpm7-f59c-mp54