Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.
Published: 2026-04-07
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Configuration Modification
Action: Apply Patch
AI Analysis

Impact

Pi‑hole FTL provides an interactive API that is intended to be read‑only for sessions created with a CLI password. The flaw allows those sessions to import Teleporter archives through the /api/teleporter endpoint, which can overwrite configuration settings. This results in unauthorized modifications of DNS and filtering options, potentially disrupting service or redirecting traffic.

Affected Systems

The affected product is Pi‑hole FTL versions 6.0 through 6.5 inclusive. Systems running those versions are vulnerable until updated to 6.6 or later.

Risk and Exploitability

The CVSS score of 6.1 indicates medium severity. EPSS information is not available and the issue is not listed in CISA's KEV catalog. Based on the description, the low effort required relies on possessing a CLI password; after gaining a CLI‑scoped session the attacker can call /api/teleporter with a malicious Teleporter archive to rewrite configuration. The vulnerability is fixed in version 6.6, so upgrading removes the risk.

Generated by OpenCVE AI on April 7, 2026 at 23:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole FTL to version 6.6 or later.
  • If immediate upgrade is not possible, disable the /api/teleporter endpoint or restrict CLI password usage until a patch is applied.

Generated by OpenCVE AI on April 7, 2026 at 23:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.
Title Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-07T17:52:48.043Z

Reserved: 2026-04-02T20:49:44.454Z

Link: CVE-2026-35491

cve-icon Vulnrichment

Updated: 2026-04-07T17:52:44.732Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-07T16:16:27.467

Modified: 2026-04-08T21:27:00.663

Link: CVE-2026-35491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:48:32Z

Weaknesses