AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
Description
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AdGuard Home prior to 0.107.73 allows unauthenticated attackers to bypass authentication via HTTP/2 cleartext (h2c) upgrade.
Root
Cause AdGuard Home prior to version 0.107.73 contains an authentication bypass vulnerability due to improper handling of HTTP/2 cleartext (h2c) upgrades. The HTTP server is configured such that authentication middleware wraps an h2c handler at the outer layer, but when an h2c upgrade request is accepted, the h2c library hijacks the underlying TCP connection and serves subsequent HTTP/2 requests using the inner mux, which lacks authentication middleware [3]. This means that while the initial upgrade request may pass through authentication (often targeting a public path like /control/login), all subsequent HTTP/2 frames are processed without any credential verification.
Exploitation
An unauthenticated remote attacker can exploit this by sending a crafted HTTP/1.1 request with an Upgrade: h2c header to any AdGuard Home instance (default port 3000). Upon successful upgrade, the attacker can then send arbitrary HTTP/2 requests to any administrative endpoint, effectively bypassing all authentication mechanisms [2]. No prior access or credentials are required, and the attack can be carried out over the network.
Impact
A successful attack grants the attacker full administrative access to the AdGuard Home instance. This allows them to modify DNS filtering rules, view query logs, change configuration, and potentially exfiltrate sensitive network data. The CVSS score for this vulnerability is 9.8 (Critical), indicating high impact on confidentiality, integrity, and availability [3].
Mitigation
The vulnerability is fixed in AdGuard Home version 0.107.73 [1]. Users are strongly advised to update immediately. There are no known workarounds, as the issue stems from the core HTTP handling logic.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/AdguardTeam/AdGuardHomeGo | < 0.107.73 | 0.107.73 |
Affected products
2- Range: <0.107.73
- AdguardTeam/AdGuardHomev5Range: < 0.107.73
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-5fg6-wrq4-w5ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32136ghsaADVISORY
- github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-5fg6-wrq4-w5ghghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.