External risk intelligence

AdGuard Home Authentication Bypass via Path Traversal in Admin-Token Cookie

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-41448

AdGuard Home is typically deployed as a local network DNS server or ad blocker, which is generally not intended for public internet exposure. While it provides a web-based management interface, this interface is usually accessed only from within the local network or via a VPN, making direct public-internet-facing exposure uncommon in standard deployments.

Path Traversal

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in AdGuard Home, affecting its authentication mechanism when started with a specific flag. This flaw could allow unauthorized individuals to gain full administrative control of the system by manipulating a cookie. The main concern is confirming if this specific configuration is in use and if it is exposed to potential attackers.

  • Authentication bypass allows admin access.
  • Critical issue if exposed and misconfigured.
  • Confirm usage and exposure of this feature.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could exploit this vulnerability by sending a specially crafted request to the AdGuard Home service. By manipulating the `Admin-Token` cookie with a path traversal sequence, the attacker can trick the service into reading an arbitrary file, ultimately bypassing authentication and gaining full administrative access.

  • No authentication required.
  • Path traversal in `Admin-Token` cookie.
  • Full administrative access granted.

Live Threat

Current exploitation, exposure, and threat context

When AdGuard Home is started with the `--glinet` flag, an unauthenticated attacker could bypass authentication to gain full administrative access. This is possible by supplying a path traversal sequence within the `Admin-Token` cookie, which can redirect file reads to arbitrary paths due to unsanitized string concatenation.

  • Admin access to the service.
  • Path traversal in `Admin-Token` cookie.
  • Unauthorized administrative control.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical authentication bypass in AdGuard Home, particularly when using the `--glinet` flag, requires immediate attention from teams managing the AdGuard Home instances. The first practical step is to identify all deployments, confirm their accessibility, and determine business criticality to prioritize remediation efforts. Since AdGuard Home is often deployed internally, platform or infrastructure teams are likely responsible, with support from security teams for exposure assessment and vendor-management if a managed service is involved.

  • Identify AdGuard Home instances and their owners.
  • Verify external reachability and business criticality.
  • Plan remediation based on identified risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is AdGuard Home?

AdGuard Home is network-wide software used to block advertisements and malicious trackers. It functions as a DNS server that filters internet traffic for devices on a home or small office network. It includes a web-based dashboard that administrators use to manage filtering rules, view query logs, and configure network settings.

What does CWE-22 mean for CVE-2026-41448?

CVE-2026-41448 is classified under CWE-22, which is Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal. In this case, the software fails to properly sanitize the Admin-Token cookie before using it to locate files. This allows an attacker to use special characters to navigate outside intended directories, tricking the application into granting full administrative access.

How can an attacker trigger this vulnerability?

An attacker triggers this by sending a network request containing a manipulated Admin-Token cookie that includes path traversal sequences. Crucially, this vulnerability only exists when the AdGuard Home service is started with the specific --glinet flag. If your instance is not running with this flag, the vulnerable code path that processes these cookies is not active.

Is my AdGuard Home instance at risk from the internet?

According to Halo Surface Signal, AdGuard Home is typically designed for local network use and is not intended for direct public exposure. While the vulnerability is critical, the risk is lower if your dashboard is only accessible from within your local network or via a secure VPN, as this limits the ability of external actors to reach the service.

What should I do if I run AdGuard Home?

Start by auditing your infrastructure to identify all running AdGuard Home instances and check if the --glinet flag is enabled. Once identified, evaluate if those instances are exposed to the internet. If you find systems meeting both criteria, restrict access to the web interface to trusted users immediately while you coordinate with your team to review the vendor's guidance for updates.

References