Mitigation Strategies

The immediate mitigation step is to upgrade Pi-hole FTL to version 6.6 or later, where this authorization bypass vulnerability has been fixed.

Until the upgrade can be applied, consider disabling the CLI password feature (webserver.api.cli_pw) to prevent CLI-scoped sessions from being created.

Additionally, restrict access to the Pi-hole API to trusted users only, and monitor for any unauthorized Teleporter import attempts.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35491 is an authorization bypass vulnerability in Pi-hole FTL versions 6.0 through 6.5 related to its CLI API sessions and the Teleporter import functionality.

Pi-hole FTL has a CLI password feature that creates CLI API sessions intended to be read-only, preventing configuration changes via the /api/config endpoint by returning HTTP 403 Forbidden when a session is flagged as CLI.

However, the /api/teleporter endpoint, which allows importing Teleporter archives for backup and restore of configuration, did not enforce the same restriction. This allows CLI-scoped sessions to import Teleporter archives and overwrite configuration files, effectively bypassing intended authorization controls.

An attacker with CLI-scoped API credentials can modify Pi-hole’s configuration by exploiting this flaw.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with CLI-scoped API credentials to modify Pi-hole’s configuration despite intended read-only restrictions.

• Disable blocking features
• Change upstream DNS servers
• Alter DHCP settings

These changes can compromise system integrity and availability, potentially disrupting network security and functionality.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by verifying if the Pi-hole FTL version in use is between 6.0 and before 6.6 and if the CLI password feature (webserver.api.cli_pw) is enabled.

To confirm the vulnerability, you can attempt to authenticate with the CLI password to obtain a session ID, then test if configuration changes via the /api/config endpoint are blocked (expecting HTTP 403 Forbidden). Next, try downloading a Teleporter archive using GET /api/teleporter and re-import it using POST /api/teleporter with the same CLI session. If the import succeeds and triggers a restart despite the CLI session scope, the system is vulnerable.

Suggested commands to test this include:

• Authenticate with CLI password to get a session ID.
• curl -H "Authorization: Bearer <CLI_session_token>" -X GET http://<pihole_ip>/admin/api/config -v (expect HTTP 403 Forbidden).
• curl -H "Authorization: Bearer <CLI_session_token>" -X GET http://<pihole_ip>/admin/api/teleporter -o backup.tar.gz
• curl -H "Authorization: Bearer <CLI_session_token>" -X POST -F "[email protected]" http://<pihole_ip>/admin/api/teleporter

If the POST request to /api/teleporter succeeds and causes a restart, the vulnerability is present.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows an attacker with CLI-scoped API credentials to modify Pi-hole's configuration, including disabling blocking, changing upstream DNS servers, or altering DHCP settings, which compromises system integrity and availability.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to alter DNS and DHCP configurations could potentially impact the security controls required by these regulations, especially those related to data integrity and availability.

Organizations relying on Pi-hole for network security might face increased risk of unauthorized configuration changes, which could lead to data exposure or service disruption, thereby affecting compliance with regulations that mandate strict access controls and system integrity.

Useful 0 Not Useful 0