CVE-2026-32136

AdGuard Home and Affected Versions AdGuard Home versions prior to 0.107.73

Description AdGuard Home is a network-wide software for blocking ads and tracking. A critical issue exists where an unauthenticated remote attacker can bypass all authentication mechanisms. This is achieved by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by an internal multiplexer that lacks authentication middleware. Consequently, all subsequent HTTP/2 requests on that connection are processed as if they are fully authenticated, regardless of whether any credentials were provided. The root cause lies in the improper placement of the authentication middleware within the HTTP server configuration. Specifically, the authentication middleware is applied at the outer layer but bypassed when the h2c upgrade occurs, as the inner multiplexer does not enforce authentication. An attacker can exploit this to gain full administrative API access, including the ability to read and modify DNS configuration, add malicious filter lists, disable protection, change the admin password, and hijack DNS resolution for all clients on the network. A proof-of-concept (PoC) script demonstrates the bypass using a raw TCP connection with HTTP/2 framing, allowing an attacker to extract DNS query history and device inventory information. The vulnerability is exploitable without any credentials.

Recommendations Update to version 0.107.73 or later.