Nixpkgs security tracker
Permalink
CVE-2026-32136
9.8 CRITICAL
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Activity log
- Created suggestion
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.
References
Affected products
AdGuardHome
- ==< 0.107.73
Matching in nixpkgs
pkgs.adguardhome
Network-wide ads & trackers blocking DNS server
pkgs.python312Packages.adguardhome
Python client for the AdGuard Home API
pkgs.python313Packages.adguardhome
Python client for the AdGuard Home API
pkgs.python314Packages.adguardhome
Python client for the AdGuard Home API
Package maintainers
-
@Golbinex Kryštof Baksa <baksa@pm.me>
-
@numkem Sebastien Bariteau <numkem@numkem.org>
-
@iagocq Iago Manoel Brito
-
@rhoriguchi Ryan Horiguchi <ryan.horiguchi@gmail.com>
-
@JamieMagee Jamie Magee <jamie.magee@gmail.com>