How is CVE-2026-44693 exploited?

Network reachability (required): The attacker must be able to reach the Pi-hole FTL web interface over the network to deliver the exploit. Authentication (not-required): No credentials are needed; the attacker targets the session buffer of an already-authenticated victim rather than authenticating themselves. Victim interaction (required): A logged-in Pi-hole administrator must be socially engineered into visiting a crafted page or otherwise triggering a timed HTTP request during an active session. Attack complexity (info): Although no special configuration is needed to reach the endpoint, the race condition requires the attacker to win a timing window against the shared global session buffer, which may require repeated attempts.

What is the impact of CVE-2026-44693?

Reads the victim's active session token, exposing full administrative access to the Pi-hole dashboard including DNS query logs and allow/blocklists. Modifies DNS blocklist and allowlist rules, enabling the attacker to unblock malicious domains or block legitimate ones across the network. Alters upstream DNS resolver configuration, redirecting all DNS queries on the network to an attacker-controlled resolver. Crashes or restarts the FTL service, disrupting DNS resolution for every client on the network segment relying on Pi-hole.

Back to search

HIGHCVE-2026-44693Published 2026-06-10Modified 2026-06-12CNA GitHub_M

CVE-2026-44693: Pi-hole FTL: Unauthenticated Session Hijacking via Race Condition on Global Session Buffer

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A race condition in Pi-hole FTL's HTTP session management subsystem allows an unauthenticated remote attacker to hijack active administrator sessions. The vulnerability is reachable over the network with no credentials required, but the attacker must trick a logged-in user into visiting a crafted page or triggering a timed request. Successful exploitation gives the attacker full read, write, and denial-of-service capability over the Pi-hole instance. HarborGuard is tracking the upstream advisory for patch availability, as no fix version has been published yet.

HarborGuard Coverage

Detection

Detection of CVE-2026-44693 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Pi-hole FTL. Any image carrying an affected version of Pi-hole FTL is flagged immediately upon the next pipeline scan or registry push.

Available

Triage

Triage is available with a CVSS v3.1 score of 8.8 (HIGH), applied against each customer environment's compliance policy weighting to determine priority and urgency. Findings are routed to the appropriate team inbox within each customer organization based on their configured escalation rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the Pi-hole FTL advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream fix is released. For customers with auto-remediation enabled, a rebuild, regression-test run, and PR against affected workloads will be triggered automatically as soon as a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the Pi-hole FTL web interface over the network to deliver the exploit.
AuthenticationNot required
No credentials are needed; the attacker targets the session buffer of an already-authenticated victim rather than authenticating themselves.
Victim interactionRequired
A logged-in Pi-hole administrator must be socially engineered into visiting a crafted page or otherwise triggering a timed HTTP request during an active session.
Attack complexityDetail
Although no special configuration is needed to reach the endpoint, the race condition requires the attacker to win a timing window against the shared global session buffer, which may require repeated attempts.

Blast Radius

Reads the victim's active session token, exposing full administrative access to the Pi-hole dashboard including DNS query logs and allow/blocklists.
Modifies DNS blocklist and allowlist rules, enabling the attacker to unblock malicious domains or block legitimate ones across the network.
Alters upstream DNS resolver configuration, redirecting all DNS queries on the network to an attacker-controlled resolver.
Crashes or restarts the FTL service, disrupting DNS resolution for every client on the network segment relying on Pi-hole.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix for CVE-2026-44693 exists yet, HarborGuard continuously monitors the Pi-hole FTL advisory and re-evaluates it on every ingest cycle. In the meantime, customers can apply compensating controls through HarborGuard's policy engine, such as network-policy isolation rules that restrict access to the Pi-hole web interface to trusted internal IP ranges only, and egress filtering to limit exposure of the FTL HTTP port. Customers who cannot immediately restrict network access should consider feature-flag gating or disabling the embedded web server where operationally feasible. The moment the upstream project publishes a fix, a patched-image rebuild will become available on HarborGuard; for customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will follow automatically, with a median time from CVE patch publication to merged PR of around 90 minutes for HIGH-severity issues.

See how HarborGuard automates this

Affected packages

pi-hole / FTL
< 6.6.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified