New Critical AdGuard Home Flaw Lets Attackers Bypass Authentication
AdGuard Home, a widely adopted network-wide solution for blocking advertisements and trackers, recently released an urgent security patch to address a critical vulnerability.
This severe flaw, documented as CVE-2026-32136, received the highest possible severity score of 9.8 out of 10 on the Common Vulnerability Scoring System.
The security defect allows remote attackers without any authentication credentials to completely bypass AdGuard Home’s login protection mechanisms.
By exploiting this weakness, malicious actors can gain full administrative control over the affected system.
Discovery and Disclosure
The critical authentication bypass issue was first identified and responsibly disclosed by the security researcher mandreko.
Upon receiving the report, the AdGuard development team promptly verified the flaw’s extreme risk and coordinated its submission to security databases.
Recognizing the global threat to users, the maintainers quickly developed and published the version 0.107.73 security hotfix.
This rapid action aimed to secure community networks before malicious actors could exploit the vulnerability widely.
The root cause lies in how unpatched versions of AdGuard Home process specific HTTP connection upgrade requests.
The attack begins when a remote threat actor sends a standard HTTP/1.1 request to the targeted AdGuard server, containing a command to upgrade the connection to HTTP/2 Cleartext (h2c).
Upon accepting the upgrade, the server channels the HTTP/2 connection directly into an internal multiplexer.
This critical internal component lacks any authentication middleware.
As a direct result, all subsequent HTTP/2 requests transmitted over this upgraded channel are automatically accepted as authenticated, granting the attacker complete administrative privileges.
To resolve this critical threat, the AdGuard team successfully patched the vulnerability by implementing mandatory authentication checks for all requests upgraded from h2c to public resources.
System administrators and home users are strongly urged to take immediate protective measures.
The primary remediation step is to update all active AdGuard Home instances immediately to version 0.107.73 or later.
Additionally, network administrators should ensure public internet access to the AdGuard Home management interface is strictly blocked via firewall configurations.
Finally, security teams are advised to conduct a thorough audit of existing DNS routing rules and system access logs to detect any signs of prior unauthorized changes that may indicate compromise.