CVE-2026-41489
Received Received - Intake
Path Traversal in Pi-hole Core and FTL

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-05-12
AI Q&A
2026-05-12
EPSS Evaluated
N/A
NVD
CVE-2026-41489
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pi-hole core From 6.0 (inc) to 6.4.2 (exc)
pi-hole ftl From 6.0 (inc) to 6.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-15 One or more system settings or configuration elements can be externally controlled by a user.
CWE-732 The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Pi-hole versions from 6.0 to before Core 6.4.2 and FTL 6.6.1. Two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read a file path from the configuration without validating it. An attacker with pihole privilege can write an arbitrary path into this configuration, causing the scripts to delete and recreate any file on the system outside certain restricted directories with root privileges.

On a default Pi-hole installation, this allows local privilege escalation to root by manipulating SSH authorized keys. If the root SSH authorized_keys file does not exist, only one script execution is needed; if it exists, both scripts run in sequence during a restart to achieve the exploit.

This vulnerability was fixed in Core 6.4.2 and FTL 6.6.1.


How can this vulnerability impact me? :

This vulnerability can lead to local privilege escalation, allowing an attacker with limited Pi-hole privileges to gain root access on the affected system.

With root access, the attacker can manipulate critical system files, including SSH authorized keys, potentially allowing persistent unauthorized access and full control over the system.

This can compromise the security and integrity of the system, leading to data breaches, system manipulation, or further attacks.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade Pi-hole Core to version 6.4.2 or later and Pi-hole FTL to version 6.6.1 or later, as these versions contain the fix.

Until the upgrade is applied, restrict access to the pihole user privileges to prevent attackers from writing arbitrary paths into files.pid.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart