PT-2026-30863 · Pi-Hole · Pi-Hole Ftl
Mzalzahrani
·
Published
2026-04-07
·
Updated
2026-04-07
·
CVE-2026-35491
CVSS v3.1
6.1
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
Pi-hole FTL versions 6.0 through 6.5
Description
Pi-hole FTL provides an interactive API and generates statistics for Pi-hole’s Web interface. Versions 6.0 through 6.5 contain an authorization bypass issue related to the Teleporter API. Specifically, the
/api/teleporter endpoint allowed CLI-scoped sessions to overwrite configuration via a Teleporter archive, despite the /api/config endpoint correctly blocking CLI sessions from mutating configuration. This is due to the CLI password feature (webserver.api.cli pw) intended for read-only configuration changes.Recommendations
Update to version 6.6 or later.
Fix
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pi-Hole Ftl