Plataforma
go
Componente
github.com/adguardteam/adguardhome
Corrigido em
0.107.74
0.107.73
CVE-2026-32136 describes an Authentication Bypass vulnerability within AdGuard Home, a popular network-wide ad blocker. This flaw allows attackers to bypass authentication mechanisms through the exploitation of HTTP/2 Cleartext Upgrade (h2c). Versions of AdGuard Home released before 0.107.73 are vulnerable, and users are strongly advised to upgrade immediately to mitigate the risk. The vulnerability was publicly disclosed on March 12, 2026.
The impact of this vulnerability is severe. Successful exploitation allows an attacker to bypass authentication and gain unauthorized access to the AdGuard Home management interface. This could lead to complete control over the ad blocking configuration, potentially allowing the attacker to inject malicious advertisements, redirect users to phishing sites, or even compromise the underlying network. Given AdGuard Home's network-wide scope, the blast radius extends to all devices using the affected instance, making it a significant security risk. The ease of exploitation via h2c further amplifies the potential for widespread abuse.
This vulnerability is considered highly exploitable due to the simplicity of the h2c bypass technique. No public proof-of-concept (PoC) code has been released as of the disclosure date, but the ease of exploitation suggests that PoCs are likely to emerge quickly. The vulnerability has been added to the CISA KEV catalog, indicating a high probability of exploitation. Active campaigns targeting AdGuard Home are not currently confirmed, but the criticality of the vulnerability warrants heightened vigilance.
Organizations and individuals relying on AdGuard Home for network-wide ad blocking are at risk, particularly those running older, unpatched versions. Shared hosting environments where AdGuard Home is deployed as a service are especially vulnerable, as they may lack control over the underlying software versions. Users with custom configurations or reverse proxy setups should carefully review their configurations to ensure they do not inadvertently expose h2c connections.
• linux / server:
journalctl -u AdGuardHome -g "authentication bypass"• generic web:
curl -I https://your-adguardhome-instance/ | grep HTTP/2• go / supply-chain: Examine AdGuardHome source code for h2c related functions and potential bypass logic.
disclosure
Status do Exploit
EPSS
0.79% (percentil 74%)
CISA SSVC
Vetor CVSS
The primary mitigation is to upgrade AdGuard Home to version 0.107.73 or later, which contains the fix. If an immediate upgrade is not possible due to compatibility issues or downtime constraints, consider temporarily disabling HTTP/2 Cleartext Upgrade (h2c) by configuring your reverse proxy (e.g., Nginx, Apache) to block h2c connections to AdGuard Home. This will prevent exploitation but may impact performance. Monitor AdGuard Home logs for any suspicious activity, particularly related to authentication attempts. After upgrading, confirm the fix by attempting an authentication bypass via h2c and verifying that it is unsuccessful.
Actualice AdGuard Home a la versión 0.107.73 o superior. Esta versión corrige la vulnerabilidad de omisión de autenticación al manejar conexiones HTTP/2 cleartext (h2c). La actualización impedirá que atacantes remotos no autenticados eludan la autenticación.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-32136 is a critical vulnerability in AdGuard Home allowing attackers to bypass authentication via HTTP/2 Cleartext Upgrade (h2c), potentially gaining unauthorized access to the management interface.
You are affected if you are running AdGuard Home versions prior to 0.107.73. Upgrade immediately to mitigate the risk.
Upgrade AdGuard Home to version 0.107.73 or later. As a temporary workaround, disable HTTP/2 Cleartext Upgrade (h2c) in your reverse proxy.
Active exploitation is not currently confirmed, but the vulnerability's criticality and ease of exploitation suggest a high likelihood of future attacks.
Refer to the official AdGuard Home security advisory on their website for detailed information and updates: [https://github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-xxxx-xxxx-xxxx](replace with actual advisory link)
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo go.mod e descubra na hora se você está afetado.