CVE-2026-32136 Overview
CVE-2026-32136 is an authentication bypass vulnerability in AdGuard Home, a network-wide software solution for blocking ads and tracking. Prior to version 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided.
Critical Impact
This vulnerability allows complete authentication bypass, enabling unauthenticated attackers to gain full administrative access to AdGuard Home instances exposed to the network.
Affected Products
- AdGuard Home versions prior to 0.107.73
Discovery Timeline
- 2026-03-11 - CVE CVE-2026-32136 published to NVD
- 2026-03-12 - Last updated in NVD database
Technical Details for CVE-2026-32136
Vulnerability Analysis
This authentication bypass vulnerability (CWE-287) stems from a fundamental architectural flaw in how AdGuard Home handles HTTP protocol upgrades. When a client initiates an HTTP/1.1 to HTTP/2 cleartext (h2c) upgrade, the upgraded connection is routed to an internal multiplexer that lacks the authentication middleware present on the primary request handler.
The vulnerability is particularly severe because it requires no credentials and can be exploited remotely over the network. An attacker simply needs to craft an HTTP/1.1 request with the appropriate upgrade headers to transition to an unauthenticated HTTP/2 session. Once this upgrade completes, the attacker has unrestricted access to all administrative functions within AdGuard Home.
Root Cause
The root cause lies in the separation between the outer HTTP handler (which includes authentication middleware) and the inner multiplexer (mux) that handles upgraded HTTP/2 connections. When AdGuard Home accepts an h2c upgrade request, it transitions the connection to the inner mux without carrying forward the authentication requirements. This architectural oversight means that any HTTP/2 frames sent over the upgraded connection bypass all authentication checks entirely.
Attack Vector
The attack is initiated over the network and requires no authentication or user interaction. An attacker targets an exposed AdGuard Home instance by sending a specially crafted HTTP/1.1 request with headers indicating a desire to upgrade to HTTP/2 cleartext. The standard HTTP upgrade mechanism uses the Upgrade: h2c header along with HTTP2-Settings to negotiate the protocol switch.
Once the server accepts the upgrade and switches to HTTP/2, all subsequent requests on that connection are processed by the inner mux without authentication. This allows the attacker to perform any administrative action, including modifying DNS settings, disabling protection, accessing logs, or potentially pivoting to other network resources.
The vulnerability exploits the h2c (HTTP/2 cleartext) upgrade mechanism where the connection upgrade header bypasses the authentication layer. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-32136
Indicators of Compromise
- HTTP/1.1 requests containing Upgrade: h2c headers targeting AdGuard Home instances
- Unexpected administrative configuration changes in AdGuard Home without corresponding authenticated sessions
- HTTP/2 connections established without prior authentication events in access logs
- Anomalous DNS configuration modifications or filtering rule changes
Detection Strategies
- Monitor web server and proxy logs for HTTP upgrade requests containing h2c protocol specifications
- Implement network-level detection rules to alert on HTTP/1.1 to HTTP/2 cleartext upgrade attempts
- Review AdGuard Home audit logs for administrative actions that lack corresponding authentication events
- Deploy intrusion detection signatures to identify the specific header patterns associated with h2c upgrades
Monitoring Recommendations
- Enable verbose logging on AdGuard Home instances to capture all connection upgrade attempts
- Configure network security monitoring tools to baseline normal HTTP traffic patterns and alert on h2c upgrade requests
- Implement centralized log collection for all AdGuard Home instances to facilitate correlation and analysis
- Establish alerting for configuration changes to critical DNS and filtering settings
How to Mitigate CVE-2026-32136
Immediate Actions Required
- Upgrade AdGuard Home to version 0.107.73 or later immediately
- Restrict network access to AdGuard Home administrative interfaces using firewall rules
- Place AdGuard Home behind a reverse proxy that does not forward h2c upgrade requests
- Review recent configuration changes and audit logs for signs of unauthorized access
Patch Information
AdGuard has released version 0.107.73 which addresses this vulnerability by ensuring authentication middleware is applied to all connection types, including upgraded HTTP/2 connections. Organizations should prioritize upgrading to this patched version. For additional details, see the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy in front of AdGuard Home that terminates h2c upgrade requests before they reach the application
- Implement network-level access controls to restrict access to AdGuard Home to trusted IP addresses only
- Disable external network access to AdGuard Home until patching can be completed
- If using a load balancer or WAF, configure rules to block requests containing Upgrade: h2c headers
# Example: Block h2c upgrades at nginx reverse proxy level
# Add to nginx server block for AdGuard Home
location / {
# Block HTTP/2 cleartext upgrade requests
if ($http_upgrade ~* "h2c") {
return 403;
}
proxy_pass http://adguardhome:3000;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
