CVE-2026-34578

Source
https://cve.org/CVERecord?id=CVE-2026-34578
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34578.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34578
Aliases
  • GHSA-jpm7-f59c-mp54
Published
2026-04-09T14:34:20.158Z
Modified
2026-07-15T01:49:19.567099337Z
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
OPNsense has an LDAP Injection via Unsanitized Username in Authentication
Details

OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34578.json",
    "cwe_ids": [
        "CWE-90"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/opnsense/core

Affected ranges

Type
GIT
Repo
https://github.com/opnsense/core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "26.1.6"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ],
    "cpe": "cpe:2.3:a:opnsense:opnsense:*:*:*:*:*:*:*:*"
}

Affected versions

15.*
15.1
15.1.1
15.1.10
15.1.10.2
15.1.11
15.1.11.1
15.1.11.2
15.1.11.3
15.1.11.4
15.1.12
15.1.2
15.1.3
15.1.4
15.1.5
15.1.6
15.1.6.1
15.1.7
15.1.7.1
15.1.7.2
15.1.8
15.1.8.1
15.1.8.2
15.1.8.3
15.1.8.4
15.1.9
15.1.9.1
15.1.9.2
15.7
16.*
16.7.a
16.7.b
16.7.r
17.*
17.1.a
17.1.b
17.1.r
17.7.a
17.7.b
17.7.r
18.*
18.1.a
18.1.b
18.1.r
18.7.a
18.7.b
18.7.r
19.*
19.1.a
19.1.b
19.1.r
19.7.a
19.7.b
19.7.r
20.*
20.1.a
20.1.b
20.1.r
20.7.a
20.7.b
20.7.r
21.*
21.1.a
21.1.b
21.1.r
21.7.a
21.7.b
21.7.r
22.*
22.1.a
22.1.b
22.1.r
22.7.a
22.7.b
22.7.r
23.*
23.1.a
23.1.b
23.1.r
23.7.a
23.7.b
23.7.r
24.*
24.1.a
24.1.b
24.1.r
24.7.a
24.7.b
24.7.r
25.*
25.1.a
25.1.b
25.1.r
25.7.a
25.7.b
25.7.r
26.*
26.1
26.1.1
26.1.2
26.1.3
26.1.4
26.1.5
26.1.a
26.1.b
26.1.r
26.1.r1
26.1.r2
26.7.a

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34578.json"