CVE-2026-33727
Local Privilege Escalation in Pi-hole 6.4 Enables Root Code Execution
Publication date: 2026-04-06
Last updated on: 2026-04-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | pi-hole | 6.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows local privilege escalation from the low-privilege pihole account to root, resulting in full root code execution and complete host compromise including confidentiality, integrity, and availability.
Such a compromise could lead to unauthorized access to sensitive data, DNS tampering, persistence, and lateral movement within the network, which may violate data protection requirements under standards like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could negatively impact compliance with regulations that mandate protection of sensitive information and system integrity.
Can you explain this vulnerability to me?
CVE-2026-33727 is a local privilege escalation vulnerability in Pi-hole version 6.4 that allows an attacker with control over the low-privilege "pihole" user account to execute code as the root user.
The "pihole" account is configured with nologin, preventing direct interactive login, but this does not stop code execution as the "pihole" user ID if a Pi-hole component is compromised.
The root cause is that root-run Pi-hole scripts source the file /etc/pihole/versions, which is writable by the "pihole" user due to its ownership and permissions.
An attacker controlling the "pihole" account can modify this file to inject arbitrary shell commands. When root-run Pi-hole scripts source this file, the injected commands execute with root privileges, resulting in full root code execution.
How can this vulnerability impact me? :
This vulnerability allows an attacker who has compromised the "pihole" user account to escalate their privileges to root, gaining full control over the affected system.
- Complete host compromise including confidentiality, integrity, and availability.
- Potential DNS tampering, which could redirect or intercept network traffic.
- Persistence on the system, allowing the attacker to maintain access.
- Lateral movement within the network, potentially compromising other systems.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the file /etc/pihole/versions is writable by the low-privilege pihole user account, and by verifying if root-run Pi-hole scripts source this file.
- Check the ownership and permissions of /etc/pihole/versions to confirm it is owned by pihole:pihole with mode 640 or similar.
- Verify if root executes the pihole command periodically via cron jobs.
- A practical test involves appending a harmless command to /etc/pihole/versions as the pihole user and then triggering root execution by running 'pihole -v' or waiting for the cron job.
- Example commands to check permissions and ownership: 'ls -l /etc/pihole/versions'
- Example command to test write access as pihole user: 'sudo -u pihole sh -c "echo test >> /etc/pihole/versions"'
- Trigger root execution by running: 'sudo pihole -v'
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Pi-hole to version 6.4.1 or later, where this vulnerability is fixed.
Additionally, restrict write permissions to the /etc/pihole/versions file so that the pihole user cannot modify it, preventing injection of arbitrary commands.
Review and limit the privileges of the pihole user and monitor root-run Pi-hole scripts and cron jobs for suspicious activity.