LDAP Authentication Bypass Vulnerability in OPNsense Firewall
CVE-2026-34578

8.2HIGH

Key Information:

Vendor: Opnsense
Status: Core
Vendor: CVE Published:; 9 April 2026

What is CVE-2026-34578?

The OPNsense Firewall, a FreeBSD-based platform, has a vulnerability in its LDAP authentication connector where it improperly handles user input. Specifically, prior to version 26.1.6, the software incorporates unsanitized usernames into LDAP search filters, allowing unauthenticated attackers to manipulate queries. This vulnerability can lead to the enumeration of valid LDAP usernames from the configured directory. Furthermore, if the LDAP server is set to limit access by group membership, attackers can exploit this flaw to bypass those restrictions and impersonate any LDAP user, provided their password is known. Users are recommended to update to the latest version to mitigate these security risks.

Affected Version(s)

core < 26.1.6

References

https://github.com/opnsense/core/security/advisories/GHSA...

x_refsource_CONFIRM

https://github.com/opnsense/core/commit/016f66cb4620cd481...

x_refsource_MISC

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Mar 30, 2026

CVE-2026-34578 Data

JSON

Opnsense

What is CVE-2026-34578?

Affected Version(s)

References

CVSS V3.1

Timeline