CVE-2026-33727 - Vulnerability Details

- Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).

Description

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.

Published: 2026-04-06

Score: 6.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Pi‑hole version 6.4 permits a compromise of the low‑privilege pihole account to lead to code execution as root. The vulnerability arises because root‑run Pi‑hole scripts read attacker‑controlled entries from /etc/pihole/versions, which allows arbitrary code to be run with root privileges. This grants complete control over the host, including data theft, persistence, or further lateral movement.

Affected Systems

Pi‑hole deployments running version 6.4 are affected. The issue is specific to the official Pi‑hole package, and any system using that package and not yet updated to 6.4.1 will remain vulnerable.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate severity. The EPSS score is below 1%, suggesting low current exploitation likelihood, and the vulnerability is not in CISA’s Known Exploited Vulnerabilities catalog. However, the attack requires that an attacker already has the pihole user’s capabilities to be able to modify or inject files into /etc/pihole/versions, after which the vulnerability is trivially exploitable with root‑level impact. The attack vector is post‑compromise local, with no need for external network exposure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pi-hole

affected

Version	Status	Constraints
`>= 6.4, < 6.4.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:pi-hole:pi-hole:6.4:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Pi-hole

100%

Version	Status	Scheme	Platform
`[6.4,6.4.1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to Pi‑hole 6.4.1 or later
Verify that the Pi‑hole service runs under the pihole user and limit write permission to /etc/pihole/versions
Audit /etc/pihole/versions for unauthorized entries
Restart Pi‑hole after updates to ensure changes take effect

Generated by OpenCVE AI on April 9, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00006.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74

History

Thu, 09 Apr 2026 18:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:pi-hole:pi-hole:6.4:::::::*

Tue, 07 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pi-hole Pi-hole pi-hole
Vendors & Products		Pi-hole Pi-hole pi-hole

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.
Title		Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).
Weaknesses		CWE-269
References		https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Pi-hole Pi-hole

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T15:02:19.693Z

Updated: 2026-04-07T13:06:34.177Z

Reserved: 2026-03-23T17:34:57.560Z

Link: CVE-2026-33727

Vulnrichment

Updated: 2026-04-07T13:06:31.281Z

NVD

Status : Analyzed

Published: 2026-04-06T16:16:33.987

Modified: 2026-04-09T18:18:28.370

Link: CVE-2026-33727

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:45:14Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object