CVE-2026-33727 - Vulnerability Details

Description

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.

Published: 2026-04-06

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Pi‑hole version 6.4 contains a local privilege‑escalation vulnerability that allows an attacker who has already gained code execution as the low‑privileged "pihole" user to replace or modify the file /etc/pihole/versions. This file is read and sourced by scripts that run as root, so the attacker can execute arbitrary code with root privileges. The weakness is a classic privilege‑escalation scenario, identified as CWE‑269. The impact is elevation of an attacker from a non‑root user to full root access on the system, enabling total control over the device and its network traffic.

Affected Systems

Vendors and products affected are Pi‑hole, the network‑level ad‑blocking application written for Linux. Only the 6.4 release series is vulnerable; the issue is fixed in 6.4.1. Any installation of Pi‑hole 6.4 that has not been upgraded is at risk. Devices running this version on routers, Raspberry Pi, or other embedded Linux platforms could be compromised.

Risk and Exploitability

The CVSS score of 6.4 indicates a moderate to high severity, while the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog. Because the vulnerability requires a prior local compromise to place malicious content into /etc/pihole/versions, it is not exploitable from the network alone. However, once an attacker has local code execution as the "pihole" user, escalation to root is almost immediate and straightforward, making the risk significant in a post-compromise scenario.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

pi-hole

affected

Version	Status	Constraints
`>= 6.4, < 6.4.1`	affected	—

No data.

Vendor Product Confidence Versions

Pi-hole

100%

Version	Status	Scheme	Platform
`[6.4,6.4.1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Pi‑hole to version 6.4.1 or later to apply the fixed patch.
Verify the integrity of the /etc/pihole/versions file and other Pi‑hole configuration files, ensuring they have not been tampered with.
Restrict write access to /etc/pihole/versions by setting appropriate permissions or using AppArmor/SELinux policies to prevent non‑root writes.

Generated by OpenCVE AI on April 6, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74

History

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pi-hole Pi-hole pi-hole
Vendors & Products		Pi-hole Pi-hole pi-hole

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.
Title		Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).
Weaknesses		CWE-269
References		https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74
Metrics		cvssV3_1 `{'score': 6.4, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Pi-hole Pi-hole

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T15:02:19.693Z

Updated: 2026-04-06T15:02:19.693Z

Reserved: 2026-03-23T17:34:57.560Z

Link: CVE-2026-33727

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-06T16:16:33.987

Modified: 2026-04-06T16:16:33.987

Link: CVE-2026-33727

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-06T21:32:29Z

Weaknesses

CWE-269

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object