Critical severityNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026
AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
CVE-2026-32136
Description
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/AdguardTeam/AdGuardHomeGo | < 0.107.73 | 0.107.73 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/adguardteam/adguardhomepkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.107.73+ 1 more
- (no CPE)range: < 0.107.73
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
- Range: < 0.107.73
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-5fg6-wrq4-w5ghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-32136ghsaADVISORY
- github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-5fg6-wrq4-w5ghghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.