Description
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1.
Published: 2026-06-10
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Pi-hole FTL, the core engine that blocks advertisements and trackers on a network, contains a race condition in its HTTP session management system. The flaw allows an attacker, even without credentials, to manipulate the global session buffer and hijack a legitimate user’s session, effectively impersonating that user. This can lead to unauthorized actions and exfiltration of data within the network, affecting the confidentiality and integrity of the system; because the flaw is accessed through the web interface, availability may also be impacted if a malicious actor repeatedly floods the service.

Affected Systems

Vendors affected are Pi-hole, specifically the FTL component. All FTL releases from the 6.0 rewrite up to, but not including, 6.6.1 are vulnerable. The issue was fixed in the 6.6.1 release, so any installation running a version older than 6.6.1 should be considered at risk.

Risk and Exploitability

The vulnerability is scored CVSS 8.8, indicating high risk. The EPSS score is not available, and it is not currently listed in the CISA KEV catalog. The likely attack vector is the exposed web interface, which can be reached from any host that can connect to the Pi-hole device. Because the flaw is unauthenticated, any attacker who can reach the interface can exploit the race condition to hijack sessions. The exploitation does not require special privileges or complex setup beyond sending race‑condition requests to the web server.

Generated by OpenCVE AI on June 10, 2026 at 23:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pi-hole FTL to version 6.6.1 or later.
  • Restrict or disable remote access to the Pi-hole web interface to trusted hosts only.
  • If an upgrade cannot be performed immediately, isolate the Pi-hole device from untrusted networks and monitor for suspicious authentication activity.

Generated by OpenCVE AI on June 10, 2026 at 23:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Pi-hole
Pi-hole ftl
Vendors & Products Pi-hole
Pi-hole ftl

Wed, 10 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1.
Title Pi-hole FTL: Unauthenticated Session Hijacking via Race Condition on Global Session Buffer
Weaknesses CWE-362
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T03:55:28.698Z

Reserved: 2026-05-07T17:07:09.315Z

Link: CVE-2026-44693

cve-icon Vulnrichment

Updated: 2026-06-11T15:48:14.480Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T23:16:46.690

Modified: 2026-06-11T17:16:33.733

Link: CVE-2026-44693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T10:40:37Z

Weaknesses
  • CWE-362

    Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')