CVE-2026-34578

Name of the Vulnerable Software and Affected Versions OPNsense versions prior to 26.1.6

Description OPNsense's LDAP authentication connector does not properly sanitize user-supplied input when constructing LDAP search filters. Specifically, the username provided during WebGUI login is directly incorporated into the LDAP filter without escaping special characters. This allows an unauthenticated attacker to inject LDAP filter metacharacters into the username field, potentially enabling them to enumerate valid LDAP usernames within the configured directory. If the LDAP server configuration includes an Extended Query to limit login access to members of a specific group, the same injection technique can be used to bypass this group membership restriction and authenticate as any LDAP user whose password is known, regardless of their group affiliation.

Recommendations Upgrade to OPNsense version 26.1.6 or later.