Authentication Bypass in AdGuard Home by Remote Attackers

CVE-2026-32136

What is CVE-2026-32136?

CVE-2026-32136 is a significant vulnerability found within AdGuard Home, a popular network-wide software solution designed to block advertisements and trackers. This vulnerability allows an unauthenticated remote attacker to bypass the authentication mechanisms of the application by maliciously sending a specific HTTP/1.1 request aimed at upgrading to a cleartext HTTP/2 connection (h2c). Once this request is successfully processed, the subsequent interactions over the established HTTP/2 connection do not require any credentials, effectively treating all requests as if they were made by an authenticated user. This exposure can lead to unauthorized access to the software's functionalities, allowing attackers to manipulate settings or extract sensitive data, which can have dire consequences for the integrity and security of the network it protects.

Potential impact of CVE-2026-32136

1. Unauthorized Access: Attackers can exploit this vulnerability to gain full access to the AdGuard Home interface without needing to authenticate, allowing them to change settings, disable protections, or alter user configurations.

2. Data Privacy Breaches: The vulnerability may lead to exposure of user data that the software is intended to safeguard. If attackers can manipulate the settings, they might enable tracking or ad-serving that compromises user privacy.

3. Service Disruption: By gaining control over the AdGuard Home application, attackers could effectively disrupt service by disabling ad-blocking functionalities, leading to a negative user experience and potential exposure to malicious advertisements or intrusive content.

References