Description
Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.
Published: 2026-05-11
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Two shell scripts executed as root by systemd read an unvalidated configuration file path and use it in privileged file operations. An attacker with pihole privilege can write a malicious file path to the configuration and cause root to delete and then recreate any file outside the protected directories, thereby gaining write access to arbitrary files, including the SSH authorized_keys file. The flaw originates from improper handling of configuration data (CWE‑15), improper permission handling (CWE‑269), and incorrect file permissions (CWE‑732).

Affected Systems

The vulnerability affects Pi‑hole installations running Core versions 6.0 up to, but not including, Core 6.4.2, as well as FTL versions up to, but not including, FTL 6.6.1. The flaw is present in the systemd unit that invokes the pre‑start and post‑stop shell scripts pihole‑FTL‑prestart.sh and pihole‑FTL‑poststop.sh, both executed with root privileges. An attacker must have the right to modify the Pi‑hole configuration directory to abuse the flaw.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and while the EPSS score is not available, the vulnerability is not listed in CISA’s KEV catalog. The attack surface is local: a user who can modify Pi‑hole configuration files must already run commands with pihole privilege. By writing an arbitrary path into files.pid, the attacker can cause the system to delete and recreate files, such as /root/.ssh/authorized_keys, giving the attacker root shell access. Because the flaw occurs at service start and stop, the attacker can execute the exploit with any normal Pi‑hole restart.

Generated by OpenCVE AI on May 11, 2026 at 22:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi‑hole Core to version 6.4.2 or later, or upgrade FTL to version 6.6.1 or later, which eliminate the vulnerable scripts
  • If an upgrade cannot be performed immediately, edit the pihole‑FTL.service unit to remove or comment out the ExecStartPre and ExecStopPost directives, disabling the vulnerable hooks
  • Restrict write access to the Pi‑hole configuration directory and the files.pid entry by setting owner root and mode 0600, ensuring only trusted users can alter the path used by the scripts
  • Monitor /root/.ssh/authorized_keys and other sensitive files for changes as an additional safeguard against unauthorized modification

Generated by OpenCVE AI on May 11, 2026 at 22:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole pi-hole
Vendors & Products Pi-hole
Pi-hole pi-hole

Mon, 11 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.
Title Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks
Weaknesses CWE-15
CWE-269
CWE-732
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Pi-hole Pi-hole
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T20:21:38.905Z

Reserved: 2026-04-20T16:14:19.007Z

Link: CVE-2026-41489

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T21:19:00.267

Modified: 2026-05-12T16:38:54.943

Link: CVE-2026-41489

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T23:30:02Z

Weaknesses