Skip to main content

Pi Hole CVE-2026-41489

| EUVDEUVD-2026-29295 HIGH
Incorrect Permission Assignment for Critical Resource (CWE-732)
2026-05-11 GitHub_M
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
May 11, 2026 - 22:18 EUVD
CVE Published
May 11, 2026 - 20:21 nvd
HIGH 8.8

DescriptionGitHub Advisory

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

Analysis

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

CVE-2025-34087 HIGH POC
8.8 Jul 03

Pi-hole versions up to 3.3 contain an authenticated command injection via the domain allowlist functionality. When addin

CVE-2020-11108 HIGH POC
8.8 May 11

The Gravity updater in Pi-hole through 4.4 allows an authenticated adversary to upload arbitrary files. Rated high sever

CVE-2021-29449 MEDIUM POC
6.3 Apr 14

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated medium severity (CVSS 6.

CVE-2020-8816 HIGH POC
7.2 May 29

Pi-hole Web v4.3.2 (aka AdminLTE) allows Remote Code Execution by privileged dashboard users via a crafted DHCP static l

CVE-2024-34361 HIGH POC
8.8 Jul 05

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. Rated

CVE-2021-32706 HIGH POC
8.8 Aug 04

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate

CVE-2021-29448 HIGH POC
8.8 Apr 15

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Rated high severity (CVSS 8.8)

CVE-2020-14162 HIGH POC
7.8 Jul 30

An issue was discovered in Pi-Hole through 5.0. Rated high severity (CVSS 7.8), this vulnerability is low attack complex

CVE-2020-12620 HIGH POC
7.8 Jul 30

Pi-hole 4.4 allows a user able to write to /etc/pihole/dns-servers.conf to escalate privileges through command injection

CVE-2024-44069 HIGH POC
7.5 Aug 19

Pi-hole before 6 allows unauthenticated admin/api.php?setTempUnit= calls to change the temperature units of the web dash

CVE-2024-28247 MEDIUM POC
6.5 Mar 27

The Pi-hole is a DNS sinkhole that protects your devices from unwanted content without installing any client-side softwa

CVE-2021-32793 MEDIUM POC
4.8 Aug 04

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Rate

Share

CVE-2026-41489 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy