CVE-2026-35491 Overview
CVE-2026-35491 is an authorization bypass vulnerability in FTLDNS (pihole-FTL), the core component that provides an interactive API and generates statistics for Pi-hole's Web interface. The vulnerability exists in versions 6.0 to before 6.6 and allows CLI-scoped API sessions to bypass intended access controls and overwrite system configuration through the Teleporter import functionality.
Critical Impact
A local attacker with CLI session access can bypass authorization controls and overwrite Pi-hole configuration by exploiting inconsistent access control enforcement between /api/config and /api/teleporter endpoints.
Affected Products
- Pi-hole FTL versions 6.0 to before 6.6
- FTLDNS (pihole-FTL) with CLI password feature enabled (webserver.api.cli_pw)
Discovery Timeline
- 2026-04-07 - CVE CVE-2026-35491 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-35491
Vulnerability Analysis
This vulnerability (CWE-863: Incorrect Authorization) stems from inconsistent enforcement of access controls across different API endpoints in Pi-hole FTL. The application implements a CLI password feature (webserver.api.cli_pw) that creates "CLI" API sessions designed to be read-only for configuration changes. While the /api/config endpoint correctly validates and blocks CLI sessions from making configuration mutations, the /api/teleporter endpoint fails to apply the same authorization checks.
The Teleporter feature in Pi-hole is designed to import and export configuration archives, allowing administrators to backup and restore settings. However, the authorization logic for this endpoint does not properly restrict CLI sessions, creating an inconsistency in the security model. An attacker with access to a CLI-scoped session can leverage this gap to import a malicious Teleporter archive, effectively overwriting the Pi-hole configuration and bypassing the read-only restrictions that should apply to their session.
Root Cause
The root cause is a CWE-863 (Incorrect Authorization) flaw where the /api/teleporter endpoint does not enforce the same session-type restrictions as /api/config. While CLI sessions are correctly identified and blocked from mutating configuration through the primary configuration API, the Teleporter import functionality accepts these sessions without verifying whether they have the appropriate authorization level for configuration changes.
Attack Vector
The attack requires local access to the system running Pi-hole FTL. An attacker must first obtain or create a CLI API session using the webserver.api.cli_pw feature. With this session, the attacker can craft a Teleporter archive containing malicious configuration changes and submit it through the /api/teleporter endpoint. Since this endpoint does not validate that CLI sessions should be read-only, the import proceeds and overwrites the existing configuration.
The attack scenario involves:
- Establishing a CLI-scoped API session
- Creating a Teleporter archive with attacker-controlled configuration
- Submitting the archive to /api/teleporter which bypasses the CLI session restrictions
- Pi-hole configuration is overwritten with the attacker's settings
Detection Methods for CVE-2026-35491
Indicators of Compromise
- Unexpected configuration changes to Pi-hole settings without corresponding administrative actions
- Teleporter import events in Pi-hole logs originating from CLI sessions
- Modifications to DNS blocking lists, upstream DNS servers, or other critical Pi-hole settings
Detection Strategies
- Monitor Pi-hole FTL logs for Teleporter import operations and correlate with session types
- Implement file integrity monitoring on Pi-hole configuration files to detect unauthorized modifications
- Review API access logs for unusual patterns of CLI session activity targeting the /api/teleporter endpoint
Monitoring Recommendations
- Enable detailed logging for the Pi-hole FTL API to capture session type and endpoint access patterns
- Configure alerts for configuration changes that occur outside of expected maintenance windows
- Implement network segmentation to limit local access to Pi-hole management interfaces
How to Mitigate CVE-2026-35491
Immediate Actions Required
- Upgrade Pi-hole FTL to version 6.6 or later immediately
- Review recent Teleporter import activity in logs for any unauthorized configuration changes
- Restrict access to CLI sessions and audit users with local system access
- Verify current Pi-hole configuration integrity against known-good backups
Patch Information
This vulnerability is fixed in Pi-hole FTL version 6.6. Users should upgrade to this version or later to remediate the authorization bypass. The patch ensures that CLI sessions are properly restricted from performing Teleporter imports, maintaining consistent access control enforcement across all configuration-modifying endpoints. For detailed information, see the GitHub Security Advisory.
Workarounds
- Disable the CLI password feature (webserver.api.cli_pw) if not required for operations
- Restrict local system access to trusted administrators only until the patch is applied
- Implement additional access controls at the network or system level to limit API endpoint exposure
- Monitor and audit all Teleporter operations until the upgrade is complete
# Upgrade Pi-hole FTL to patched version
pihole -up
# Verify the installed version is 6.6 or later
pihole -v
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
