CVE-2026-35491
Authorization Bypass in Pi-hole FTL CLI Password Feature
Publication date: 2026-04-07
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| pi-hole | ftldns | From 6.0 (inc) to 6.6 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Pi-hole FTL to version 6.6 or later, where this authorization bypass vulnerability has been fixed.
Until the upgrade can be applied, consider disabling the CLI password feature (webserver.api.cli_pw) to prevent CLI-scoped sessions from being created.
Additionally, restrict access to the Pi-hole API to trusted users only, and monitor for any unauthorized Teleporter import attempts.
Can you explain this vulnerability to me?
CVE-2026-35491 is an authorization bypass vulnerability in Pi-hole FTL versions 6.0 through 6.5 related to its CLI API sessions and the Teleporter import functionality.
Pi-hole FTL has a CLI password feature that creates CLI API sessions intended to be read-only, preventing configuration changes via the /api/config endpoint by returning HTTP 403 Forbidden when a session is flagged as CLI.
However, the /api/teleporter endpoint, which allows importing Teleporter archives for backup and restore of configuration, did not enforce the same restriction. This allows CLI-scoped sessions to import Teleporter archives and overwrite configuration files, effectively bypassing intended authorization controls.
An attacker with CLI-scoped API credentials can modify Pi-holeβs configuration by exploiting this flaw.
How can this vulnerability impact me? :
This vulnerability allows an attacker with CLI-scoped API credentials to modify Pi-holeβs configuration despite intended read-only restrictions.
- Disable blocking features
- Change upstream DNS servers
- Alter DHCP settings
These changes can compromise system integrity and availability, potentially disrupting network security and functionality.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by verifying if the Pi-hole FTL version in use is between 6.0 and before 6.6 and if the CLI password feature (webserver.api.cli_pw) is enabled.
To confirm the vulnerability, you can attempt to authenticate with the CLI password to obtain a session ID, then test if configuration changes via the /api/config endpoint are blocked (expecting HTTP 403 Forbidden). Next, try downloading a Teleporter archive using GET /api/teleporter and re-import it using POST /api/teleporter with the same CLI session. If the import succeeds and triggers a restart despite the CLI session scope, the system is vulnerable.
Suggested commands to test this include:
- Authenticate with CLI password to get a session ID.
- curl -H "Authorization: Bearer <CLI_session_token>" -X GET http://<pihole_ip>/admin/api/config -v (expect HTTP 403 Forbidden).
- curl -H "Authorization: Bearer <CLI_session_token>" -X GET http://<pihole_ip>/admin/api/teleporter -o backup.tar.gz
- curl -H "Authorization: Bearer <CLI_session_token>" -X POST -F "[email protected]" http://<pihole_ip>/admin/api/teleporter
If the POST request to /api/teleporter succeeds and causes a restart, the vulnerability is present.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker with CLI-scoped API credentials to modify Pi-hole's configuration, including disabling blocking, changing upstream DNS servers, or altering DHCP settings, which compromises system integrity and availability.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the ability to alter DNS and DHCP configurations could potentially impact the security controls required by these regulations, especially those related to data integrity and availability.
Organizations relying on Pi-hole for network security might face increased risk of unauthorized configuration changes, which could lead to data exposure or service disruption, thereby affecting compliance with regulations that mandate strict access controls and system integrity.