Description
AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths.
Published: 2026-06-08
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AdGuard Home, when started with the --glinet flag, contains an authentication bypass that allows an unauthenticated attacker to supply a path traversal sequence in the Admin-Token cookie or header. The flaw arises from unsanitized string concatenation used when constructing the token file path within the authglinet middleware, enabling the attacker to redirect file reads to arbitrary paths. This vulnerability can lead to full administrative control over the application without the need to supply valid credentials.

Affected Systems

The issue affects the AdGuardHome product from AdguardTeam. It applies to any deployment that enables the deprecated --glinet authentication mode; no specific release version is limited, so all installations configured with this flag are vulnerable.

Risk and Exploitability

The CVSS score of 9.2 classifies the flaw as critical. An attacker only needs to send an HTTP request containing a crafted Admin-Token header; no prior authentication is required. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, so while the likelihood of exploitation is uncertain, the potential impact is high and the attack can be performed remotely over the network.

Generated by OpenCVE AI on June 8, 2026 at 18:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AdGuard Home to the latest release that includes the authglinet path‑traversal fix (see release v0.107.77).
  • If an upgrade cannot be performed immediately, start AdGuard Home without the --glinet flag to remove the vulnerable authentication path.
  • Restrict external access to the admin interface by applying network segmentation or firewall rules to limit interaction with unauthenticated attackers.

Generated by OpenCVE AI on June 8, 2026 at 18:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Adguard
Adguard adguardhome
Vendors & Products Adguard
Adguard adguardhome

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:00:00 +0000

Type Values Removed Values Added
Description AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths.
Title AdGuard Home Authentication Bypass via Path Traversal in Admin-Token Cookie
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Adguard Adguardhome
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-08T17:55:39.024Z

Reserved: 2026-04-20T16:07:47.309Z

Link: CVE-2026-41448

cve-icon Vulnrichment

Updated: 2026-06-08T17:55:24.702Z

cve-icon NVD

Status : Deferred

Published: 2026-06-08T17:16:42.847

Modified: 2026-06-09T13:51:18.770

Link: CVE-2026-41448

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T08:45:37Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')