Skip to main content

Pi Hole CVE-2026-33727

| EUVDEUVD-2026-19291 MEDIUM
Improper Privilege Management (CWE-269)
2026-04-06 GitHub_M
6.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.4 MEDIUM
AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
6.4.1
EUVD ID Assigned
Apr 06, 2026 - 15:30 euvd
EUVD-2026-19291
Analysis Generated
Apr 06, 2026 - 15:30 vuln.today
CVE Published
Apr 06, 2026 - 15:02 nvd
MEDIUM 6.4

DescriptionGitHub Advisory

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.

AnalysisAI

Pi-hole 6.4 allows local privilege escalation to root code execution via insecure sourcing of attacker-controlled content in /etc/pihole/versions by root-run scripts. A compromised low-privilege pihole account can inject malicious code that executes with root privileges, despite the pihole account using nologin shell. This vulnerability is fixed in version 6.4.1.

Technical ContextAI

Pi-hole is a DNS-based ad-blocking service running on Linux systems. The vulnerability stems from CWE-269 (Improper Access Control) where root-privileged Pi-hole scripts source configuration or version data from /etc/pihole/versions without proper validation. The pihole account, though configured with nologin to prevent direct interactive login, can still execute code if a Pi-hole component is compromised (e.g., via a separate vulnerability in the web dashboard or FTL daemon). When root-run scripts then source attacker-modified files from /etc/pihole/versions, the injected code executes with root privileges. This pattern is a classic privilege escalation chain: initial compromise of the pihole account (which has legitimate process execution capabilities) followed by code injection into files trusted by root-level processes.

RemediationAI

Upgrade to Pi-hole version 6.4.1 or later, which fixes the insecure sourcing of version information. The vendor-released patch corrects the privilege escalation by implementing proper input validation and file ownership/permission controls for files sourced by root-run scripts. Administrators should apply the patch immediately to all Pi-hole 6.4 installations. Additional hardening steps include: verify that /etc/pihole/versions and related configuration files are owned by root with restricted write permissions (not writable by the pihole account), and review the Pi-hole security advisory at https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74 for detailed technical context and any interim mitigations if upgrading is delayed.

CVE-2025-34087 HIGH POC
8.8 Jul 03

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When addin

CVE-2020-11108 HIGH POC
8.8 May 11

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high sever

CVE-2021-29449 MEDIUM POC
6.3 Apr 14

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.

CVE-2020-8816 HIGH POC
7.2 May 29

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static l

CVE-2024-34361 HIGH POC
8.8 Jul 05

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated

CVE-2021-32706 HIGH POC
8.8 Aug 04

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate

CVE-2021-29448 HIGH POC
8.8 Apr 15

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)

CVE-2020-14162 HIGH POC
7.8 Jul 30

An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complex

CVE-2020-12620 HIGH POC
7.8 Jul 30

Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection

CVE-2024-44069 HIGH POC
7.5 Aug 19

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dash

CVE-2024-28247 MEDIUM POC
6.5 Mar 27

The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side softwa

CVE-2026-41489 HIGH
8.8 May 11

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From

Share

CVE-2026-33727 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy