Local Privilege Escalation in Pi-hole DNS Sinkhole by Pi-hole Developers
CVE-2026-41489

8.8HIGH

Key Information:

Vendor: Pi-hole
Status: Pi-hole
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-41489?

A local privilege escalation vulnerability exists in Pi-hole versions prior to Core 6.4.2 and FTL 6.6.1. This issue arises from two shell scripts, pihole-FTL-prestart.sh and pihole-FTL-poststop.sh, which are executed with root privileges by systemd. These scripts read the files.pid path from an unvalidated configuration, enabling an attacker with Pi-hole privileges to manipulate files on the system. By injecting arbitrary paths into files.pid, the attacker can target files outside restricted directories, thereby gaining root access and potentially compromising the system. This vulnerability facilitates unauthorized SSH access via manipulation of the authorized_keys file, with significant security implications for systems running Pi-hole.

Affected Version(s)

pi-hole >= 6.0, < 6.4.2

References

https://github.com/pi-hole/pi-hole/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41489 Data

JSON