CVE-2026-41489
Received Received - Intake
Path Traversal in Pi-hole Core and FTL

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-41489
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pi-hole core From 6.0 (inc) to 6.4.2 (exc)
pi-hole ftl From 6.0 (inc) to 6.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-15 One or more system settings or configuration elements can be externally controlled by a user.
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Pi-hole versions from 6.0 to before Core 6.4.2 and FTL 6.6.1. Two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read a file path from the configuration without validating it. An attacker with pihole privilege can write an arbitrary path into this configuration, causing the scripts to delete and recreate any file on the system outside certain restricted directories with root privileges.

On a default Pi-hole installation, this allows local privilege escalation to root by manipulating SSH authorized keys. If the root SSH authorized_keys file does not exist, only one script execution is needed; if it exists, both scripts run in sequence during a restart to achieve the exploit.

This vulnerability was fixed in Core 6.4.2 and FTL 6.6.1.

Detection Guidance

This vulnerability involves the Pi-hole Core versions from 6.0 to before 6.4.2 and FTL versions before 6.6.1, where two shell scripts executed as root by systemd read an unvalidated files.pid path from the configuration and perform privileged file operations. Detection involves verifying the installed versions of Pi-hole Core and FTL to see if they fall within the vulnerable range.

To detect if your system is vulnerable, you can check the installed versions of Pi-hole Core and FTL using the following commands:

  • pihole -v

This command outputs the versions of Core and FTL. If Core is between 6.0 and before 6.4.2, or FTL is before 6.6.1, the system is vulnerable.

Additionally, you can inspect the systemd service files or the scripts pihole-FTL-prestart.sh and pihole-FTL-poststop.sh to check if they are present and executed as root, which is part of the vulnerability mechanism.

Since the vulnerability involves manipulation of the files.pid path, you may also check for suspicious entries or modifications in the Pi-hole configuration files related to files.pid.

Impact Analysis

This vulnerability can lead to local privilege escalation, allowing an attacker with limited Pi-hole privileges to gain root access on the affected system.

With root access, the attacker can manipulate critical system files, including SSH authorized keys, potentially allowing persistent unauthorized access and full control over the system.

This can compromise the security and integrity of the system, leading to data breaches, system manipulation, or further attacks.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Pi-hole Core to version 6.4.2 or later and Pi-hole FTL to version 6.6.1 or later, as these versions contain the fix.

Until the upgrade is applied, restrict access to the pihole user privileges to prevent attackers from writing arbitrary paths into files.pid.

Compliance Impact

The vulnerability allows a local attacker with pihole privileges to escalate to root by manipulating file operations, potentially leading to unauthorized access and modification of sensitive system files.

Such unauthorized root access and file manipulation could lead to breaches of confidentiality, integrity, and availability of data, which are critical aspects of compliance with standards like GDPR and HIPAA.

However, the provided information does not explicitly describe the impact on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41489. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart