OPNsense LDAP Connector Vulnerable to Unauthenticated Filter Injection
OPNsense, the widely-deployed open-source FreeBSD-based firewall and routing platform, has disclosed CVE-2026-34578 — a high-severity LDAP injection vulnerability affecting its authentication connector. The flaw allows an unauthenticated attacker to inject LDAP filter metacharacters into the username field, potentially bypassing authentication controls and gaining unauthorized access to the management interface.
The vulnerability carries a CVSS score of 8.2 and affects all OPNsense versions prior to 26.1.6. The patch is included in OPNsense 26.1.6, released April 9, 2026.
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-34578 |
| CVSS Score | 8.2 (High) |
| Affected Versions | OPNsense < 26.1.6 |
| Patched Version | OPNsense 26.1.6 |
| CWE | CWE-90: Improper Neutralization of Special Elements in LDAP Queries |
| Attack Type | LDAP Filter Injection → Authentication Bypass |
| Authentication Required | None |
| User Interaction | None |
| Disclosure Date | April 9, 2026 |
Technical Analysis
Root Cause
OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape() or equivalent sanitization. This is a classic LDAP injection pattern — the username value is inserted verbatim into a filter such as:
(&(objectClass=user)(uid=USERNAME))
If the username contains LDAP filter metacharacters (*, (, ), \, NUL), an attacker can alter the logic of the filter query.
Attack Scenario
An attacker targeting an OPNsense deployment configured with LDAP authentication can supply a crafted username to manipulate the LDAP filter:
Normal login:
username: alice
LDAP filter: (&(objectClass=user)(uid=alice))
Injected login:
username: *)(uid=*))(|(uid=*
LDAP filter: (&(objectClass=user)(uid=*)(uid=*))(|(uid=*))
Depending on the LDAP server configuration and the specific filter structure, this can cause the server to return all users or bypass the uid-matching constraint entirely — allowing the attacker to authenticate without a valid credential.
Why OPNsense is a Critical Target
OPNsense is frequently deployed as the perimeter firewall and VPN gateway in enterprise, home lab, and service provider environments. Unauthorized access to the management interface via LDAP injection could allow an attacker to:
- Reconfigure firewall rules and open inbound access
- Disable VPN authentication or exfiltrate VPN credentials
- Pivot into protected network segments
- Access connected services via the admin interface
Affected Configurations
Not all OPNsense deployments are affected equally:
| Configuration | Risk |
|---|---|
| OPNsense with LDAP/Active Directory authentication | Vulnerable |
| OPNsense with local user accounts only | Not affected |
| OPNsense with RADIUS authentication | Not affected |
| Versions prior to 26.1.6 | Patch required |
| OPNsense 26.1.6+ | Patched |
Remediation
Upgrade to OPNsense 26.1.6 (Strongly Recommended)
OPNsense 26.1.6 resolves the vulnerability by properly escaping user-supplied input before constructing LDAP search filters.
To update via the OPNsense web interface:
- Navigate to System → Firmware → Updates
- Click Check for updates
- Apply the 26.1.6 update
- Reboot when prompted
To update via the command line (as root):
opnsense-update -uf
rebootInterim Mitigations
If immediate upgrade is not possible:
1. Restrict management interface access
Limit access to the OPNsense admin interface to trusted IP addresses only via firewall rules or the built-in "Allow management access from these hosts" setting under System → Settings → Administration.
2. Disable LDAP authentication temporarily
If LDAP authentication is not required for day-to-day operations, switch to local accounts while planning the upgrade:
Navigate to System → Access → Servers and remove or disable the LDAP authentication server. Ensure a local admin account is available before doing so.
3. Use a WAF or reverse proxy with input validation
If the OPNsense web interface is exposed behind a reverse proxy, configure the proxy to block requests containing LDAP metacharacters in authentication parameters.
Detection
Review OPNsense authentication logs for anomalous login attempts containing LDAP metacharacters:
# Check OPNsense authentication logs
grep -E "\*|\)\(|\|\(|&\(" /var/log/opnsense/auth.log
# Review failed authentication attempts from unexpected IPs
grep "authentication failed" /var/log/opnsense/auth.log | \
awk '{print $NF}' | sort | uniq -c | sort -rn | head -20Attempts to exploit this vulnerability will typically appear as failed authentication events with usernames containing *, )(, or other filter metacharacters.