Platform
go
Component
github.com/adguardteam/adguardhome
Fixed in
0.107.74
0.107.73
CVE-2026-32136 describes an Authentication Bypass vulnerability within AdGuard Home, a popular network-wide ad blocker. This flaw allows attackers to bypass authentication mechanisms through the exploitation of HTTP/2 Cleartext Upgrade (h2c). Versions of AdGuard Home released before 0.107.73 are vulnerable, and users are strongly advised to upgrade immediately to mitigate the risk. The vulnerability was publicly disclosed on March 12, 2026.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to bypass authentication and gain unauthorized access to the AdGuard Home management interface. This could lead to complete control over the ad blocking configuration, potentially allowing the attacker to inject malicious advertisements, redirect users to phishing sites, or even compromise the underlying network. Given AdGuard Home's network-wide scope, the blast radius extends to all devices using the affected instance, making it a significant security risk. The ease of exploitation via h2c further amplifies the potential for widespread abuse.
This vulnerability is considered highly exploitable due to the simplicity of the h2c bypass technique. No public proof-of-concept (PoC) code has been released as of the disclosure date, but the ease of exploitation suggests that PoCs are likely to emerge quickly. The vulnerability has been added to the CISA KEV catalog, indicating a high probability of exploitation. Active campaigns targeting AdGuard Home are not currently confirmed, but the criticality of the vulnerability warrants heightened vigilance.
Exploit Status
EPSS
0.79% (74% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade AdGuard Home to version 0.107.73 or later, which contains the fix. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider temporarily disabling HTTP/2 Cleartext Upgrade (h2c) by configuring your reverse proxy (e.g., Nginx, Apache) to block h2c connections to AdGuard Home. This will prevent exploitation but may impact performance. Monitor AdGuard Home logs for any suspicious activity, particularly related to authentication attempts. After upgrading, confirm the fix by attempting an authentication bypass via h2c and verifying that it is unsuccessful.
Actualice AdGuard Home a la versión 0.107.73 o superior. Esta versión corrige la vulnerabilidad de omisión de autenticación al manejar conexiones HTTP/2 cleartext (h2c). La actualización impedirá que atacantes remotos no autenticados eludan la autenticación.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32136 is a critical vulnerability in AdGuard Home allowing attackers to bypass authentication via HTTP/2 Cleartext Upgrade (h2c), potentially gaining unauthorized access to the management interface.
You are affected if you are running AdGuard Home versions prior to 0.107.73. Upgrade immediately to mitigate the risk.
Upgrade AdGuard Home to version 0.107.73 or later. As a temporary workaround, disable HTTP/2 Cleartext Upgrade (h2c) in your reverse proxy.
Active exploitation is not currently confirmed, but the vulnerability's criticality and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official AdGuard Home security advisory on their website for detailed information and updates: [https://github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.