CVE-2026-32136
Received Received - Intake
Authentication Bypass via HTTP/2 Upgrade in AdGuard Home

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32136
EUVD
EUVD-2026-11416
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
adguard adguardhome to 0.107.73 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in AdGuard Home versions prior to 0.107.73. An unauthenticated remote attacker can bypass all authentication by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). When the upgrade is accepted, the HTTP/2 connection is handled by an internal multiplexer that lacks authentication checks. As a result, all subsequent HTTP/2 requests on that connection are treated as fully authenticated, even if no credentials were provided.

Impact Analysis

This vulnerability can have severe impacts because it allows an attacker to gain full authenticated access remotely without any credentials. The attacker can potentially control or manipulate the AdGuard Home service, leading to unauthorized access to network-wide ad blocking and tracking configurations. Given the CVSS score of 9.8, the impact includes high confidentiality, integrity, and availability risks.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade AdGuard Home to version 0.107.73 or later, where the issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32136. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart