AdGuard Home, a highly popular network-wide ad and tracker blocking solution, has recently issued an emergency security hotfix to address a critical flaw.
This severe vulnerability, officially tracked under the identifier CVE-2026-32136, has been assigned a maximum severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System scale.
The security defect enables remote, unauthenticated attackers to bypass the software’s built-in login mechanisms completely.
By exploiting this weakness, malicious actors can gain full administrative privileges over the affected system without ever needing to provide valid user credentials.
Discovery and Disclosure
The critical authentication bypass issue was initially discovered and responsibly reported by a security researcher known as mandreko.
Upon receiving the vulnerability report, the AdGuard development team swiftly verified the flaw’s severity and coordinated its submission to public vulnerability databases.
Recognizing the extreme risk to users worldwide, the maintainers worked quickly to develop and publish the 0.107.73 hotfix.
This rapid response was designed to secure the community’s networks before cybercriminals could weaponize widespread active exploitation.
The root cause of this vulnerability lies in how unpatched iterations of AdGuard Home handle specific network connection upgrade requests.
The attack sequence begins when a remote threat actor sends a seemingly standard HTTP/1.1 request to the targeted AdGuard server.
Embedded within this malicious request is a specific command asking the server to upgrade the ongoing connection to HTTP/2 Cleartext, commonly referred to as h2c.
Once the server accepts this upgrade, it passes the resulting HTTP/2 connection directly into an internal multiplexer.
Critically, this internal multiplexer completely lacks the necessary authentication middleware.
As a result of this architectural oversight, all subsequent HTTP/2 requests transmitted over this newly established channel are automatically treated by the system as fully authenticated, granting the attacker unrestricted administrative control.
To neutralize this severe threat, the AdGuard development team successfully patched the vulnerability by requiring strict authentication protocols for all requests upgraded from h2c to public resources.
System administrators and home users are strongly urged to implement immediate protective measures to secure their environments.
The primary remediation step is to update all active AdGuard Home instances to version 0.107.73 or a subsequent release.
Additionally, network administrators should review their firewall configurations to ensure that public internet access to the AdGuard Home management interface is strictly blocked.
Finally, security teams are advised to comprehensively audit their existing DNS routing rules and system access logs to identify any unauthorized configuration changes that may indicate a prior compromise.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
