CVE-2026-41489 Overview
CVE-2026-41489 is a local privilege escalation vulnerability in Pi-hole, a DNS sinkhole used to block unwanted content network-wide. The flaw affects Pi-hole versions from 6.0 up to (but not including) Core 6.4.2 and FTL 6.6.1. Two systemd-invoked shell scripts, pihole-FTL-prestart.sh and pihole-FTL-poststop.sh, run as root and consume the files.pid configuration value without validation. An attacker holding pihole group privileges can redirect those privileged file operations to arbitrary paths. On a default installation, this enables root-level compromise by planting an SSH key in /root/.ssh/authorized_keys.
Critical Impact
Local attackers with pihole user privileges can escalate to root by abusing unvalidated configuration input used in privileged install and rm -f operations.
Affected Products
- Pi-hole Core versions 6.0 through 6.4.1
- Pi-hole FTL versions 6.0 through 6.6.0
- Default Pi-hole installations running systemd-managed FTL service
Discovery Timeline
- 2026-05-11 - CVE-2026-41489 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41489
Vulnerability Analysis
The vulnerability resides in two helper scripts executed by systemd as root: pihole-FTL-prestart.sh (invoked via ExecStartPre) and pihole-FTL-poststop.sh (invoked via ExecStopPost). Both scripts read the files.pid value from the Pi-hole configuration and use it directly in privileged file operations. The prestart script calls install to create the PID file, while the poststop script calls rm -f against the same path.
Neither script validates that the configured path points to an expected location. The Pi-hole configuration is writable by accounts in the pihole group, allowing a low-privileged local account to alter files.pid to any filesystem path. When the FTL service restarts, root performs delete-and-recreate operations against that attacker-controlled target, ultimately yielding write access to the new file.
Root Cause
The root cause is improper external variable handling [CWE-15]. The scripts trust user-influenced configuration data to construct paths used in root-owned filesystem operations. Operations remain bounded by ProtectSystem=full-restricted, but writable directories such as /root remain reachable, defeating the intended isolation.
Attack Vector
An attacker with pihole privileges writes an arbitrary path (for example, /root/.ssh/authorized_keys) into the files.pid configuration field. They then trigger an FTL service restart. If authorized_keys does not exist (common on fresh installs), only ExecStartPre runs, and root creates the file with attacker-controlled contents through the subsequent ownership flow. If the file exists, ExecStopPost deletes it first via rm -f, then ExecStartPre recreates it during the same restart cycle. The attacker then writes an SSH public key into the recreated file and logs in as root over SSH.
A technical writeup is available in the Pi-hole GitHub Security Advisory.
Detection Methods for CVE-2026-41489
Indicators of Compromise
- Unexpected modifications to the files.pid value in Pi-hole configuration files
- Creation, deletion, or modification of /root/.ssh/authorized_keys correlated with pihole-FTL service restarts
- New or unfamiliar SSH public keys appearing in any user's authorized_keys file
- pihole-FTL service restarts initiated by non-administrative accounts
Detection Strategies
- Audit Pi-hole configuration changes that target the files.pid key, especially values pointing outside /run or /var/run
- Monitor systemd journal entries for pihole-FTL.service start and stop events that coincide with sensitive file changes
- Use file integrity monitoring on /root/.ssh/, /etc/sudoers.d/, and other privileged write targets
Monitoring Recommendations
- Enable auditd rules on authorized_keys files and Pi-hole configuration directories
- Alert on install or rm invocations by root that operate on paths outside expected runtime directories
- Track membership changes to the pihole group and review which accounts hold that privilege
How to Mitigate CVE-2026-41489
Immediate Actions Required
- Upgrade Pi-hole Core to version 6.4.2 or later and FTL to version 6.6.1 or later
- Review the current files.pid configuration value and reset it to the default runtime path
- Audit /root/.ssh/authorized_keys and other privileged files for unauthorized entries
- Restrict membership in the pihole group to trusted administrators only
Patch Information
The vulnerability is fixed in Pi-hole Core 6.4.2 and FTL 6.6.1. The fixes introduce path validation for files.pid before it is consumed by the privileged systemd helper scripts. Refer to the Pi-hole Security Advisory GHSA-6w8x-p785-6pm4 for full upgrade guidance.
Workarounds
- Remove unnecessary local accounts from the pihole group until patching is complete
- Tighten systemd unit hardening for pihole-FTL.service by adding ReadWritePaths= constraints limited to expected runtime directories
- Apply stricter ProtectSystem and ProtectHome settings to block writes to /root from the service context
# Verify installed Pi-hole versions and upgrade
pihole -v
pihole -up
# Confirm files.pid points to an expected runtime path
grep -R "files.pid" /etc/pihole/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
