CVE-2026-39849: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in pi-hole FTL
CVE-2026-39849 is a high-severity vulnerability in Pi-hole FTL versions before 6. 6. 1 where the dns. interface configuration field improperly accepts newline characters. This allows an attacker with network adjacency and no admin password set to inject arbitrary directives into the dnsmasq configuration, enabling the built-in DHCP server and achieving arbitrary command execution on the host. The injected configuration persists across restarts. The issue is fixed in version 6. 6. 1.
AI Analysis
Technical Summary
Pi-hole FTL, the core engine of the Pi-hole network-level ad blocker, had a vulnerability (CWE-93) in versions prior to 6.6.1 where the dns.interface configuration field accepted newline characters without validation. This flaw allowed network-adjacent attackers to inject arbitrary directives into the dnsmasq configuration file via the configuration API, which is accessible without credentials if no admin password is set. Exploitation can enable the built-in DHCP server and lead to arbitrary command execution on the host when a DHCP lease is requested. The injected payload is limited to 31 bytes but can include newline characters to inject multiple directives. The vulnerability was addressed in Pi-hole FTL version 6.6.1.
Potential Impact
An attacker on the same network can exploit this vulnerability to inject malicious directives into the dnsmasq configuration, enabling the DHCP server and executing arbitrary commands on the host system. This can lead to full system compromise. The vulnerability requires no user interaction and no authentication if the admin password is unset, which is the default in many deployments. The injected payload persists across system restarts, increasing the attack's persistence.
Mitigation Recommendations
This vulnerability is fixed in Pi-hole FTL version 6.6.1. Users should upgrade to version 6.6.1 or later to remediate this issue. If upgrading immediately is not possible, setting a strong admin password to restrict access to the configuration API can mitigate unauthorized exploitation. Patch status is not explicitly confirmed in the vendor advisory, but the fix is included in version 6.6.1 as stated.
CVE-2026-39849: CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') in pi-hole FTL
Description
CVE-2026-39849 is a high-severity vulnerability in Pi-hole FTL versions before 6. 6. 1 where the dns. interface configuration field improperly accepts newline characters. This allows an attacker with network adjacency and no admin password set to inject arbitrary directives into the dnsmasq configuration, enabling the built-in DHCP server and achieving arbitrary command execution on the host. The injected configuration persists across restarts. The issue is fixed in version 6. 6. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Pi-hole FTL, the core engine of the Pi-hole network-level ad blocker, had a vulnerability (CWE-93) in versions prior to 6.6.1 where the dns.interface configuration field accepted newline characters without validation. This flaw allowed network-adjacent attackers to inject arbitrary directives into the dnsmasq configuration file via the configuration API, which is accessible without credentials if no admin password is set. Exploitation can enable the built-in DHCP server and lead to arbitrary command execution on the host when a DHCP lease is requested. The injected payload is limited to 31 bytes but can include newline characters to inject multiple directives. The vulnerability was addressed in Pi-hole FTL version 6.6.1.
Potential Impact
An attacker on the same network can exploit this vulnerability to inject malicious directives into the dnsmasq configuration, enabling the DHCP server and executing arbitrary commands on the host system. This can lead to full system compromise. The vulnerability requires no user interaction and no authentication if the admin password is unset, which is the default in many deployments. The injected payload persists across system restarts, increasing the attack's persistence.
Mitigation Recommendations
This vulnerability is fixed in Pi-hole FTL version 6.6.1. Users should upgrade to version 6.6.1 or later to remediate this issue. If upgrading immediately is not possible, setting a strong admin password to restrict access to the configuration API can mitigate unauthorized exploitation. Patch status is not explicitly confirmed in the vendor advisory, but the fix is included in version 6.6.1 as stated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-07T19:13:20.378Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa5fd1cbff5d8610282e41
Added to database: 5/5/2026, 9:23:29 PM
Last enriched: 5/5/2026, 9:36:47 PM
Last updated: 5/5/2026, 10:30:29 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.