Pi-hole FTL, the core engine that blocks advertisements and trackers on a network, contains a race condition in its HTTP session management system. The flaw allows an attacker, even without credentials, to manipulate the global session buffer and hijack a legitimate user’s session, effectively impersonating that user. This can lead to unauthorized actions and exfiltration of data within the network, affecting the confidentiality and integrity of the system; because the flaw is accessed through the web interface, availability may also be impacted if a malicious actor repeatedly floods the service.

Vendors affected are Pi-hole, specifically the FTL component. All FTL releases from the 6.0 rewrite up to, but not including, 6.6.1 are vulnerable. The issue was fixed in the 6.6.1 release, so any installation running a version older than 6.6.1 should be considered at risk.

The vulnerability is scored CVSS 8.8, indicating high risk. The EPSS score is not available, and it is not currently listed in the CISA KEV catalog. The likely attack vector is the exposed web interface, which can be reached from any host that can connect to the Pi-hole device. Because the flaw is unauthenticated, any attacker who can reach the interface can exploit the race condition to hijack sessions. The exploitation does not require special privileges or complex setup beyond sending race‑condition requests to the web server.