Local Privilege Escalation in Pi-hole by Pi-hole Developers
CVE-2026-33727

6.4MEDIUM

Key Information:

Vendor: Pi-hole
Status: Pi-hole
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-33727?

Pi-hole, a Linux-based network advertisement and Internet tracker blocker, has a vulnerability in version 6.4 that allows for local privilege escalation. The issue arises from the pihole account, which, despite using nologin, permits code execution as root if a component of Pi-hole is compromised. In a compromised scenario, attacker-controlled content within /etc/pihole/versions can be exploited by root-run Pi-hole scripts, leading to potential unauthorized root code execution. This vulnerability has been addressed in version 6.4.1.

Affected Version(s)

pi-hole >= 6.4, < 6.4.1

References

https://github.com/pi-hole/pi-hole/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33727 Data

JSON