Share 
## https://sploitus.com/exploit?id=A0793913-1097-5A60-80D7-42107776F227
# CVE-2026-35517 - Pi-hole FTLDNS Remote Code Execution via Newline Injection


  
  
  
  


## TL;DR

A **Remote Code Execution** vulnerability in Pi-hole's FTLDNS engine (versions 6.0 through 6.5) allows an authenticated attacker to inject arbitrary dnsmasq configuration directives by embedding **newline characters** (`\n`) into the `dns.upstreams` API parameter. Since dnsmasq supports directives that execute shell commands, this newline injection directly translates to **full command execution on the host system**.

This isn't just a single bug, it's a class of injection that affects **five different configuration parameters**, all patched together in FTL v6.6.

---

## Table of Contents

- [Quick Facts](#quick-facts)
- [What is Pi-hole FTLDNS?](#what-is-pi-hole-ftldns)
- [Vulnerability Deep Dive](#vulnerability-deep-dive)
  - [Understanding the Architecture](#understanding-the-architecture)
  - [The Injection Point](#the-injection-point)
  - [From Newline to Shell β€” The Kill Chain](#from-newline-to-shell--the-kill-chain)
  - [The Full Family β€” Five Injection Vectors](#the-full-family--five-injection-vectors)
- [Impact Analysis](#impact-analysis)
- [Affected Versions](#affected-versions)
- [Who is at Risk?](#who-is-at-risk)
- [Detection](#detection)
  - [Python Scanner](#python-scanner)
  - [Nmap NSE Script](#nmap-nse-script)
  - [Manual Version Check](#manual-version-check)
- [Indicators of Compromise](#indicators-of-compromise)
- [Remediation](#remediation)
- [References](#references)
- [Author](#author)

---

## Quick Facts

| Field | Detail |
|-------|--------|
| **CVE ID** | CVE-2026-35517 |
| **Vendor** | Pi-hole Project |
| **Product** | FTLDNS (pihole-FTL) |
| **Affected Versions** | 6.0 to  |  (pihole-FTL)    | ------------> |   (DNS/DHCP)     |
+------------------+            +------------------+               +------------------+
                                        |                                   |
                                  Reads settings,                     Reads config,
                                  writes to config                    serves DNS/DHCP
                                  files on disk                       to network
```

When an admin changes the upstream DNS servers through the Pi-hole web UI or API, the flow is:

1. The web UI sends a request to the FTLDNS API with the new upstream DNS value
2. FTLDNS validates the input (or rather, fails to validate it properly)
3. FTLDNS writes the value into a dnsmasq configuration directive
4. dnsmasq is restarted and reads the new configuration

### The Injection Point

The `dns.upstreams` parameter is intended to accept DNS server addresses like `8.8.8.8` or `1.1.1.1`. FTLDNS writes these into the dnsmasq config as `server=` directives:

```
# Normal input: "8.8.8.8"
# Generates:
server=8.8.8.8
```

The problem: **FTLDNS does not sanitize newline characters in the input**. An attacker can inject `\n` to break out of the intended `server=` directive and inject entirely new configuration lines:

```
# Malicious input: "8.8.8.8\ndhcp-option=6,evil.dns.server"
# Generates:
server=8.8.8.8
dhcp-option=6,evil.dns.server
```

This alone would be concerning (DNS hijacking via DHCP option injection). But it gets worse.

### From Newline to Shell β€” The Kill Chain

dnsmasq supports a configuration directive called `dhcp-option` that can reference external scripts, and more critically, it supports several directives that can execute commands in specific scenarios. The exploitation chain looks like this:

```
Step 1: Attacker authenticates to Pi-hole 
        (default creds, weak password, CSRF, compromised session)

Step 2: Attacker sends API request to update dns.upstreams:
        
        POST /api/dns/upstream
        {
          "upstreams": ["8.8.8.8\n"]
        }

Step 3: FTLDNS writes the value to the dnsmasq config file 
        without sanitizing the newline

Step 4: The injected dnsmasq directive is parsed as a 
        legitimate configuration option

Step 5: Depending on the directive injected, the attacker achieves:
        - DNS hijacking (redirect all DNS queries)
        - DHCP poisoning (push malicious configs to clients)
        - Command execution via dnsmasq's scripting capabilities
        - File write to arbitrary paths
```

The key insight is that this isn't about exploiting a dnsmasq vulnerability, dnsmasq is working as designed. The vulnerability is that FTLDNS lets untrusted input bleed into the configuration file, turning a configuration management API into an arbitrary config injection point.

### The Full Family β€” Five Injection Vectors

The researcher (T0X1Cx) discovered that the same newline injection pattern affects **five different FTLDNS configuration parameters**. This is a systemic issue β€” the code lacked input sanitization across the board:

| Advisory | Parameter | What It Controls |
|----------|-----------|-----------------|
| **GHSA-23w8-7333-p9fj** | `dns.upstreams` | Upstream DNS servers |
| **GHSA-wxhv-w77q-6qwp** | `dns.hostRecord` | Custom DNS host records |
| **GHSA-28g5-gg88-wh5m** | `dns.cnameRecords` | CNAME record mappings |
| **GHSA-fqv2-qhfh-ghcj** | `dhcp.leaseTime` | DHCP lease duration |
| **GHSA-vfmq-jrx3-wv3c** | `dhcp.hosts` | Static DHCP host assignments |

Each of these parameters writes to dnsmasq configuration files, and each failed to sanitize newline characters. The fix in FTL v6.6 added proper input validation that rejects newline characters (and other control characters) across all configuration parameters.

---

## Impact Analysis

**On the Pi-hole host:**
- Full command execution with the privileges of the FTLDNS process (typically root or pihole user)
- Since Pi-hole often runs on dedicated devices (Raspberry Pi) or as a privileged container, this frequently means root access
- File read/write access to the host filesystem
- Persistence via cron jobs, SSH keys, or modified system files

**On the network (downstream impact):**
- DNS hijacking β€” redirect all DNS queries to attacker-controlled servers
- DHCP poisoning β€” push malicious DNS, gateway, or NTP settings to all DHCP clients
- Man-in-the-middle positioning β€” by controlling DNS, the attacker can redirect traffic for any domain
- Credential harvesting β€” redirect authentication endpoints to phishing servers
- Malware distribution β€” redirect software update domains to serve malicious payloads

**Risk amplification factors:**
- Pi-hole is often the **only DNS server** on the network compromise it, and you control name resolution for every device
- Many Pi-hole installations use **default or weak admin passwords**
- Pi-hole instances are frequently **exposed to the entire local network**, not just admins
- CSRF attacks against the Pi-hole web interface could trigger exploitation without direct authentication

---

## Affected Versions

| Version | Status |
|---------|--------|
| FTLDNS 6.6+ | **Patched** |
| FTLDNS 6.0 – 6.5 | **Vulnerable** |
| FTLDNS 5.x and earlier | Not affected (different API architecture) |

To check your version:

```bash
pihole -v
# or
pihole-FTL --version
```

---

## Who is at Risk?

**High risk:**
- Pi-hole instances accessible from untrusted network segments
- Deployments using default or weak admin passwords
- Pi-hole exposed to the internet (surprisingly common on Shodan)
- Shared hosting environments where multiple users access the same network

**Moderate risk:**
- Pi-hole instances in well-segmented home networks with strong passwords
- Deployments behind VPN with multi-factor authentication

**Lower risk (but still patch):**
- Air-gapped or fully isolated Pi-hole instances
- Read-only or API-disabled deployments

---

## Detection

### Python Scanner

The Python script detects vulnerable Pi-hole instances through version-based analysis.

**How it works:**

1. **Fingerprinting** β€” Identifies Pi-hole via admin interface indicators (page content, headers)
2. **API Version Query** β€” Queries both Pi-hole v5 and v6 API endpoints for FTL version info
3. **Version Comparison** β€” Parses the FTL version string and checks against the vulnerable range (6.0 ≀ v 

# Scan common Pi-hole ports
nmap -p 80,443,8080,4711 --script CVE-2026-35517_PiHole_FTLDNS 

# Subnet scan β€” find all Pi-hole instances on a network
nmap -p 80 --script CVE-2026-35517_PiHole_FTLDNS 192.168.1.0/24

# Combined with version detection
nmap -sV -p 80,443 --script CVE-2026-35517_PiHole_FTLDNS 

# Scan targets from a file
nmap -p 80 --script CVE-2026-35517_PiHole_FTLDNS -iL targets.txt
```

**Example Nmap output:**

```
PORT   STATE SERVICE
80/tcp open  http
| CVE-2026-35517_PiHole_FTLDNS:
|   VULNERABLE:
|   Pi-hole FTLDNS RCE via Upstream DNS Configuration
|     State: VULNERABLE
|     IDs:  CVE:CVE-2026-35517
|     Risk factor: High (CVSS: 8.8)
|     Disclosure date: 2026-04-07
|     Extra information:
|       FTL Version: v6.4
|       Core Version: v6.3
|       Web Version: v6.4
|       Related advisories also fixed in FTL v6.6:
|         GHSA-wxhv-w77q-6qwp (dns.hostRecord injection)
|         GHSA-28g5-gg88-wh5m (dns.cnameRecords injection)
|         GHSA-fqv2-qhfh-ghcj (dhcp.leaseTime injection)
|         GHSA-vfmq-jrx3-wv3c (dhcp.hosts injection)
|       Remediation: Upgrade to Pi-hole FTL v6.6+ (pihole -up)
|     References:
|       https://vulners.com/cve/CVE-2026-35517
|_      https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj
```

### Manual Version Check

If you have SSH access to the Pi-hole host:

```bash
# Check FTL version
pihole-FTL --version

# Or via the Pi-hole CLI
pihole -v

# Check via API (v6)
curl -s http://pi.hole/api/info/version | python3 -m json.tool

# Check via API (v5)
curl -s http://pi.hole/admin/api.php?versions | python3 -m json.tool
```

If the FTL version is between 6.0 and 6.5 (inclusive), you are vulnerable.

---

## Indicators of Compromise

**What to look for:**

- **Unusual dnsmasq configuration entries** β€” Check `/etc/dnsmasq.d/` and `/etc/pihole/` for unexpected directives
- **Modified upstream DNS settings** β€” Verify your configured upstream servers haven't been changed
- **Unexpected API calls** β€” Review Pi-hole's query log and API access logs for configuration change requests
- **Anomalous DNS behavior** β€” Clients resolving domains to unexpected IP addresses
- **New cron jobs or SSH keys** β€” If the host has been compromised via command execution
- **Process anomalies** β€” Unexpected child processes spawned by dnsmasq or pihole-FTL

**Commands to investigate:**

```bash
# Check dnsmasq configs for injected lines
grep -r "dhcp-option\|addn-hosts\|conf-file\|log-facility" /etc/dnsmasq.d/

# Check for recent config modifications
find /etc/pihole /etc/dnsmasq.d -mtime -7 -ls

# Review Pi-hole's debug log
pihole -d

# Check running processes for anomalies
ps aux | grep -E "dnsmasq|pihole"

# Review crontab for persistence
crontab -l
cat /etc/crontab
ls -la /etc/cron.d/
```

---

## Remediation

**Immediate action - upgrade now:**

```bash
# Update Pi-hole (includes FTL, Web, and Core)
pihole -up

# Verify the update
pihole -v
# FTL version should be >= 6.6
```

**If you can't upgrade immediately:**

1. **Restrict API access** β€” Configure Pi-hole to only accept API connections from trusted IPs
2. **Change the admin password** β€” Use a strong, unique password: `pihole -a -p`
3. **Network isolation** β€” Ensure the Pi-hole admin interface is only accessible from a management VLAN
4. **Disable remote API** β€” If you only use the local web UI, restrict the API to localhost

**Post-patch actions:**

5. **Audit DNS configuration** β€” Review all dnsmasq config files for injected directives
6. **Verify upstream servers** β€” Confirm your DNS upstream settings are correct
7. **Check for persistence** β€” Look for unauthorized cron jobs, SSH keys, or modified system files
8. **Review DHCP leases** β€” If DHCP is managed by Pi-hole, verify lease configurations
9. **Monitor DNS behavior** β€” Watch for anomalous resolution patterns over the next few days

---

## References

- [GitHub Security Advisory β€” GHSA-23w8-7333-p9fj (dns.upstreams)](https://github.com/pi-hole/FTL/security/advisories/GHSA-23w8-7333-p9fj)
- [GitHub Security Advisory β€” GHSA-wxhv-w77q-6qwp (dns.hostRecord)](https://github.com/pi-hole/FTL/security/advisories/GHSA-wxhv-w77q-6qwp)
- [GitHub Security Advisory β€” GHSA-28g5-gg88-wh5m (dns.cnameRecords)](https://github.com/pi-hole/FTL/security/advisories/GHSA-28g5-gg88-wh5m)
- [GitHub Security Advisory β€” GHSA-fqv2-qhfh-ghcj (dhcp.leaseTime)](https://github.com/pi-hole/FTL/security/advisories/GHSA-fqv2-qhfh-ghcj)
- [GitHub Security Advisory β€” GHSA-vfmq-jrx3-wv3c (dhcp.hosts)](https://github.com/pi-hole/FTL/security/advisories/GHSA-vfmq-jrx3-wv3c)
- [Pi-hole FTL v6.6 Release Notes](https://pi-hole.net/blog/2026/04/03/pi-hole-ftl-v6-6-web-v6-5-and-core-v6-4-1-released/)

---

## Author

**Kerem Oruç** - Cybersecurity Engineer

- GitHub: [@keraattin](https://github.com/keraattin)
- Twitter: [@keraattin](https://twitter.com/keraattin)