Network Hijack: Critical 9.8 CVSS Flaw in AdGuard Home Grants Hackers Full DNS Control

AdGuard Home, the popular network-wide software used to silence ads and block trackers across entire households, is facing a serious security challenge. A critical vulnerability, tracked as CVE-2026-32136, has been uncovered with a CVSS score of 9.8.

The flaw allows an unauthenticated remote attacker to completely bypass the software’s security gates, potentially granting them full control over a user’s network DNS settings without ever needing a password.

The bypass gives full administrative API access, including:

• Reading and modifying DNS configuration
•  Adding malicious filter lists
•  Disabling protection
• Changing the admin password
• Hijacking DNS resolution for all clients on the network

The vulnerability centers on how the software handles HTTP/2 Cleartext (h2c) upgrades. Typically, AdGuard Home operates as a DNS server that “black holes” tracking domains, but it also features a web-based administrative interface for management.

In the affected version, an attacker can send a standard HTTP/1.1 request that asks the server to “upgrade” the connection to h2c. Because the upgrade request itself often targets a publicly accessible path—like the login page—it is allowed through the initial security checks.

The technical breakdown reveals a classic architectural oversight in the file internal/home/web.go. The developers placed the authentication middleware at the outer layer of the connection handler.

When an h2c upgrade occurs:

• The h2c library “hijacks” the TCP connection.
• It passes the connection to an “inner mux” (a request router) that was stored during the initial setup.
• The Problem: This inner mux has no authentication middleware attached to it.

As a result, every subsequent request sent over that new HTTP/2 connection is treated as fully authenticated. The server essentially stops asking for credentials, allowing the attacker to reach any administrative endpoint they desire.

This specifically affects users running version v0.107.72 of AdGuard Home. Fortunately, HTTP/2 over TLS (h2) is not affected by this flaw. The vulnerability is strictly limited to cleartext h2c upgrades.

Developers have been advised to move the authentication middleware inside the h2c handler so that it applies to the inner mux regardless of how the connection was established.

Users must upgrade to v0.107.73 immediately to neutralize the attack surface. If h2c support is not required for your setup, removing the handler entirely will eliminate the vulnerability.