CVE-2026-32136
Published: 11 March 2026
Summary
CVE-2026-32136 is a critical-severity Improper Authentication (CWE-287) vulnerability in Adguard Adguardhome. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 49.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-32136 affects AdGuard Home, a network-wide software for blocking ads and tracking, in versions prior to 0.107.73. The vulnerability is an authentication bypass (CWE-287) that allows an unauthenticated remote attacker to send an HTTP/1.1 request requesting an upgrade to HTTP/2 cleartext (h2c). Once the server accepts the upgrade, the resulting HTTP/2 connection is handled by an inner mux without authentication middleware, causing all subsequent HTTP/2 requests on that connection to be processed as fully authenticated, even without credentials. The issue has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any unauthenticated remote attacker with network access to the AdGuard Home instance can exploit this vulnerability. By initiating the h2c upgrade and sending follow-up HTTP/2 requests, the attacker gains unauthorized full administrative access, enabling high-impact actions such as reading sensitive configuration data, modifying filtering rules, or disrupting service operations.
The vulnerability is fixed in AdGuard Home version 0.107.73. The official advisory on GitHub (GHSA-5fg6-wrq4-w5gh) details the patch and recommends immediate upgrading to the fixed version for mitigation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11416
Vulnerability details
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade…
more
is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote exploitation of a public-facing AdGuard Home server via HTTP/2 upgrade to bypass authentication and gain full admin access, directly facilitating T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the specific authentication bypass flaw via h2c upgrade in AdGuard Home prior to version 0.107.73.
Mandates enforcement of approved authorizations on all system interfaces, including the inner HTTP/2 mux lacking authentication middleware.
Boundary protection at external interfaces can block or filter unauthorized HTTP/1.1 to h2c upgrade requests from remote attackers.