Cyber Resilience

CVE-2026-32136

CriticalPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0073 49.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32136 is a critical-severity Improper Authentication (CWE-287) vulnerability in Adguard Adguardhome. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32136 affects AdGuard Home, a network-wide software for blocking ads and tracking, in versions prior to 0.107.73. The vulnerability is an authentication bypass (CWE-287) that allows an unauthenticated remote attacker to send an HTTP/1.1 request requesting an upgrade to HTTP/2 cleartext (h2c). Once the server accepts the upgrade, the resulting HTTP/2 connection is handled by an inner mux without authentication middleware, causing all subsequent HTTP/2 requests on that connection to be processed as fully authenticated, even without credentials. The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Any unauthenticated remote attacker with network access to the AdGuard Home instance can exploit this vulnerability. By initiating the h2c upgrade and sending follow-up HTTP/2 requests, the attacker gains unauthorized full administrative access, enabling high-impact actions such as reading sensitive configuration data, modifying filtering rules, or disrupting service operations.

The vulnerability is fixed in AdGuard Home version 0.107.73. The official advisory on GitHub (GHSA-5fg6-wrq4-w5gh) details the patch and recommends immediate upgrading to the fixed version for mitigation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade…

more

is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability enables unauthenticated remote exploitation of a public-facing AdGuard Home server via HTTP/2 upgrade to bypass authentication and gain full admin access, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287
CVE-2026-29145Shared CWE-287
CVE-2018-25236Shared CWE-287
CVE-2024-53704Shared CWE-287
CVE-2024-57049Shared CWE-287
CVE-2025-12374Shared CWE-287
CVE-2025-15484Shared CWE-287

Affected Assets

adguard
adguardhome
≤ 0.107.73

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and correction of the specific authentication bypass flaw via h2c upgrade in AdGuard Home prior to version 0.107.73.

prevent

Mandates enforcement of approved authorizations on all system interfaces, including the inner HTTP/2 mux lacking authentication middleware.

prevent

Boundary protection at external interfaces can block or filter unauthorized HTTP/1.1 to h2c upgrade requests from remote attackers.

References