Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
AdGuard Home: Unauthenticated Access via HTTP/2 Upgrade
CVE-2026-32136
GHSA-5fg6-wrq4-w5gh
Summary
An attacker can bypass authentication in AdGuard Home by sending a specific HTTP request, allowing them to access the system without a login. This is a critical issue, and we recommend updating to the latest version of AdGuard Home to fix it. If you can't update immediately, consider blocking HTTP/2 connections to prevent exploitation.
What to do
- Update github.com adguardteam to version 0.107.73.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | adguardteam | <= 0.107.73 | 0.107.73 |
| adguard | adguardhome | <= 0.107.73 | – |
Original title
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 requ...
Original description
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.
nvd CVSS3.1
9.8
Vulnerability type
CWE-287
Improper Authentication
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026