AdGuard Home Patches Critical Authentication Bypass Vulnerability
Take action: Update your AdGuard Home instances to version 0.107.73 and make sure the interfaces are restricted to local network access to minimize the risk of remote exploitation.
Learn More
AdGuard released AdGuard Home v0.107.73 to patch a critical security flaw that allows unauthenticated attackers to gain full administrative control over the service. The vulnerability affects the network-wide DNS filtering platform, which is deployed on home routers and Raspberry Pi devices to block ads and trackers.
The vulnerability is tracked as CVE-2026-32136 (CVSS score 9.8) - An authentication bypass vulnerability that occurs during the HTTP/2 Cleartext (h2c) upgrade process. Attackers send an HTTP/1.1 upgrade request to a whitelisted public endpoint, such as /control/login, which the authentication middleware permits. Once the h2c handler hijacks the connection and passes it to an internal HTTP/2 server, the security middleware is bypassed, allowing subsequent requests to execute with full administrative privileges without credentials.
A successful exploit grants an attacker complete authority over the network's DNS infrastructure. The attacker can query DNS logs revealing private browsing history, inventory DHCP device and network maps, modify upstream DNS servers to attacker-controlled IP addresses and disable security filters and protection features
The vulnerability impacts AdGuard Home versions prior to v0.107.73, including version v0.107.72.
AdGuard recommends that all users update to version 0.107.73 ASAP. Administrators should also ensure the web management interface is not exposed to the public internet and remains accessible only through trusted local networks or VPNs. For those unable to update immediately, disabling h2c support or implementing a reverse proxy with its own authentication layer can provide temporary protection against exploitation.
