CVE-2026-32136
- Source
- https://cve.org/CVERecord?id=CVE-2026-32136
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32136.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32136
- Aliases
- Published
- 2026-03-11T21:42:31.422Z
- Modified
- 2026-03-15T14:54:32.100707Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass
- Details
-
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-287" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32136.json" }- References
Affected packages
Git / github.com/adguardteam/adguardhome
Affected ranges
- Type
- GIT
- Repo
- https://github.com/adguardteam/adguardhome
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.1
v0.100.0
v0.100.1
v0.100.2
v0.100.3
v0.100.4
v0.100.5
v0.100.6
v0.100.7
v0.100.8
v0.100.9
v0.101.0
v0.102.0
v0.103.0
v0.103.0-beta1
v0.103.0-beta2
v0.103.0-beta3
v0.103.1
v0.103.2
v0.103.3
v0.104.0
v0.104.0-beta1
v0.104.0-beta2
v0.104.0-beta3
v0.104.1
v0.104.2
v0.104.3
v0.105.0
v0.105.0-beta.1
v0.105.0-beta.2
v0.105.0-beta.3
v0.105.0-beta.4
v0.105.0-beta.5
v0.105.1
v0.105.1-beta.1
v0.105.2
v0.105.2-beta.1
v0.106.0
v0.106.0-b.1
v0.106.0-b.2
v0.106.0-b.3
v0.106.0-b.4
v0.106.0-b.5
v0.107.0
v0.107.0-b.1
v0.107.0-b.10
v0.107.0-b.11
v0.107.0-b.12
v0.107.0-b.13
v0.107.0-b.14
v0.107.0-b.15
v0.107.0-b.16
v0.107.0-b.17
v0.107.0-b.2
v0.107.0-b.3
v0.107.0-b.4
v0.107.0-b.5
v0.107.0-b.6
v0.107.0-b.7
v0.107.0-b.8
v0.107.0-b.9
v0.107.1
v0.107.10
v0.107.11
v0.107.12
v0.107.13
v0.107.14
v0.107.15
v0.107.16
v0.107.17
v0.107.18
v0.107.19
v0.107.2
v0.107.20
v0.107.21
v0.107.22
v0.107.23
v0.107.24
v0.107.25
v0.107.26
v0.107.27
v0.107.28
v0.107.29
v0.107.3
v0.107.30
v0.107.31
v0.107.32
v0.107.33
v0.107.34
v0.107.35
v0.107.36
v0.107.37
v0.107.38
v0.107.39
v0.107.4
v0.107.40
v0.107.41
v0.107.42
v0.107.43
v0.107.44
v0.107.45
v0.107.46
v0.107.47
v0.107.48
v0.107.49
v0.107.5
v0.107.50
v0.107.51
v0.107.52
v0.107.53
v0.107.54
v0.107.55
v0.107.56
v0.107.57
v0.107.58
v0.107.59
v0.107.6
v0.107.60
v0.107.61
v0.107.62
v0.107.63
v0.107.64
v0.107.65
v0.107.66
v0.107.67
v0.107.68
v0.107.69
v0.107.7
v0.107.70
v0.107.71
v0.107.72
v0.107.8
v0.107.9
v0.9
v0.9-hotfix1
v0.91
v0.92
v0.92-hotfix1
v0.92-hotfix2
v0.93
v0.94
v0.95
v0.95-hotfix
v0.96
v0.96-hotfix
v0.97.0
v0.97.1
v0.98.0
v0.98.1
v0.99.0
v0.99.1
v0.99.2
v0.99.3