CVE-2026-41448
Description
AdGuard Home's --glinet flag has a critical authentication bypass vulnerability allowing full admin access via path traversal in the Admin-Token cookie.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AdGuard Home's --glinet flag has a critical authentication bypass vulnerability allowing full admin access via path traversal in the Admin-Token cookie.
Vulnerability
AdGuard Home versions prior to v0.107.77, when started with the --glinet flag, are vulnerable to an authentication bypass. This vulnerability exists due to unsanitized string concatenation in the token file path construction within the authglinet middleware, allowing path traversal sequences in the Admin-Token cookie [2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by crafting a request with a path traversal payload, such as ../../.., within the Admin-Token cookie. This payload manipulates the file path construction, allowing the attacker to redirect file reads to arbitrary locations on the filesystem [2].
Impact
Successful exploitation of this vulnerability grants an unauthenticated attacker full administrative access to AdGuard Home. This allows the attacker to perform any administrative action, potentially leading to further compromise of the network or system [2].
Mitigation
AdGuard Home version v0.107.77, released on 2023-01-25, addresses this vulnerability by fixing the authorization in GLiNET mode to prevent path traversal attacks [1]. Users are advised to update to version v0.107.77 or later. No workarounds are available.
AI Insight generated on Jun 8, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The AdGuard Home GLiNET mode uses unsanitized string concatenation to construct a token file path, allowing path traversal."
Attack vector
An unauthenticated attacker can exploit this vulnerability by supplying a path traversal sequence, such as '../', within the Admin-Token cookie. This crafted cookie manipulates the token file path construction within the authglinet middleware. The unsanitized string concatenation allows the attacker to redirect file reads to arbitrary paths, bypassing authentication and gaining administrative access [ref_id=1].
Affected code
The vulnerability exists in the authglinet middleware, which is responsible for handling authorization in GLiNET mode. Specifically, the code constructs a token file path using user-supplied input from the Admin-Token cookie without proper sanitization, leading to path traversal [ref_id=1].
What the fix does
The patch addresses the vulnerability by sanitizing the input used in constructing the token file path within the authglinet middleware. This prevents path traversal sequences from being interpreted as directory navigation. By ensuring the path is properly validated and escaped, the system can no longer be tricked into reading arbitrary files, thus closing the authentication bypass vulnerability [ref_id=1].
Preconditions
- configAdGuard Home must be started with the --glinet flag.
- authThe attacker must be unauthenticated.
Generated on Jun 8, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.