Home

Description

AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths.

PUBLISHED Reserved 2026-04-20 | Published 2026-06-08 | Updated 2026-06-08 | Assigner VulnCheck




CRITICAL: 9.2CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N

CRITICAL: 9.4CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Problem types

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Product status

Default status
affected

Any version before 0.107.77
affected

Credits

djnn finder

VulnCheck finder

References

github.com/AdguardTeam/AdGuardHome/releases/tag/v0.107.77 release-notes

www.vulncheck.com/...ia-path-traversal-in-admin-token-cookie third-party-advisory

cve.org (CVE-2026-41448)

nvd.nist.gov (CVE-2026-41448)

Download JSON