CVE-2026-32136
published 2026-03-11CVE-2026-32136: AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.73%
49.8th percentile
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adguard | adguardhome | < 0.107.73 | 0.107.73 |
| adguardteam | adguardhome | < 0.107.73 | 0.107.73 |
| github.com | adguardteam_adguardhome | >= 0 < 0.107.73 | 0.107.73 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
osv·2026-03-12
CVE-2026-32136 [CRITICAL] AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
VULNERABILITY: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
Severity: CRITICAL
CVSS 3.1: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE: CWE-287 (Improper Authentication)
Component: internal/home/web.go
Affected: AdGuardHome (tested on v0.107.72)
Summary
An unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided.
Root Cause
In internal
OSV
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass in github.com/AdguardTeam/AdGuardHome
osv·2026-03-12
CVE-2026-32136 AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass in github.com/AdguardTeam/AdGuardHome
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass in github.com/AdguardTeam/AdGuardHome
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass in github.com/AdguardTeam/AdGuardHome
GHSA
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
ghsa·2026-03-12
CVE-2026-32136 [CRITICAL] CWE-287 AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
VULNERABILITY: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
Severity: CRITICAL
CVSS 3.1: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE: CWE-287 (Improper Authentication)
Component: internal/home/web.go
Affected: AdGuardHome (tested on v0.107.72)
Summary
An unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided.
Root Cause
In internal
No detection rules found.
No public exploits indexed.
2026-03-11
Published