HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-41448Published Modified CNA VulnCheck

CVE-2026-41448: AdGuard Home Authentication Bypass via Path Traversal in Admin-Token Cookie

AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths.

Metrics

CVSS v4.0
9.2
Severity
CRITICAL
Fixed in
0.107.77
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in AdGuard Home allows unauthenticated remote attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie. The vulnerability exists specifically when AdGuard Home is started with the --glinet flag, and it stems from unsanitized string concatenation in the token file path construction inside the authglinet middleware. Successful exploitation gives the attacker complete administrative control over the AdGuard Home instance. A patched-image rebuild at version 0.107.77 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-41448 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream feeds, including custom-built images that bundle AdGuard Home. Coverage extends to both registry scans and active pipeline checks, so images built before the fix version are flagged wherever they appear.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 9.2 (Critical) and weighting findings against each customer organization's compliance policy to prioritize alerting. Triage routing is available to direct findings to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at AdGuard Home 0.107.77 becomes available on HarborGuard for any environment where an affected image is detected. For customers who opt into auto-remediation, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the AdGuard Home admin interface over the network; the vulnerable middleware processes unauthenticated HTTP requests exposed on the network.

  • AuthenticationNot required

    No credentials are needed; the path traversal payload in the Admin-Token cookie bypasses authentication entirely before any credential check occurs.

  • Victim interactionNot required

    No user interaction is required; the attacker sends a crafted HTTP request directly to the service without any victim involvement.

  • Attack complexityDetail

    Base exploit conditions are reliable and condition-free (AC:L), though successful exploitation carries a specific precondition (AT:P): AdGuard Home must be running with the --glinet flag enabled.

Blast Radius

  • Attacker gains full administrative control over the AdGuard Home instance, including the ability to read and modify all DNS filtering rules and configurations.
  • Attacker can redirect DNS responses for all clients routed through the affected AdGuard Home server, enabling traffic interception or redirection.
  • Attacker can disable ad and malware blocking rules, exposing downstream clients to previously filtered content.
  • Service availability is lightly degraded (VA:L), meaning an attacker can partially disrupt DNS resolution for clients dependent on the instance.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-41448 is active across all scanned environments, matching images that bundle AdGuard Home versions below 0.107.77 against the published advisory within minutes of ingestion. Given the Critical severity (CVSS 9.2) and zero-authentication exploit path, this CVE is weighted at the top of triage queues under default compliance policies. A patched-image rebuild at version 0.107.77 is available for affected images. For customers who opt into auto-remediation, HarborGuard can rebuild the image, execute a regression test run, and open a pull request against affected workloads automatically; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Regardless of auto-remediation status, customers running AdGuard Home with the --glinet flag should treat this as a priority upgrade given the unauthenticated full-admin exploit path.

See how HarborGuard automates this

Fix available

0.107.77
Affected packages
  • AdguardTeam / AdGuardHome
    < 0.107.77 (from 0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References