Skip to main content

Pi-hole FTL CVE-2026-44693

HIGH
Race Condition (CWE-362)
2026-06-10 GitHub_M
8.8
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable admin UI (AV:N), no auth needed by attacker (PR:N), but UI:R for concurrent admin activity and AC:H since race-window timing is non-trivial; full session compromise yields C/I/A:H.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 10, 2026 - 22:53 vuln.today
Analysis Generated
Jun 10, 2026 - 22:53 vuln.today

DescriptionCVE.org

Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1.

AnalysisAI

Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session management subsystem introduced during the v6.0 rewrite. Remote attackers can leverage concurrent requests to compromise web admin session state, potentially gaining high-impact access (C:H/I:H/A:H per CVSS 8.8) to the DNS sinkhole and network filtering controls. No public exploit identified at time of analysis, but vendor has published an upstream fix in v6.6.1.

Technical ContextAI

Pi-hole FTL (Faster Than Light) is the C-based daemon at the heart of Pi-hole, handling DNS resolution, query logging, and the embedded administrative web interface. Since version 6.0, the project replaced its prior web stack with CivetWeb, an embedded HTTP server library, and the HTTP session management code introduced in that rewrite contains a CWE-362 concurrent-execution race condition. Race conditions in session subsystems typically arise from unsynchronized access to session token tables, cookie-to-session mappings, or per-session state structures, where two concurrent requests can interleave reads and writes such that one client observes or hijacks another's session context. The v6.6.1 release notes corroborate this, citing PR #2835 'thread-safety issues causing SIGSEGV under concurrent API load,' PR #2833 'rare race condition for SHM strings in API handlers,' and PR #2847 'thread-safety for concurrent API requests,' indicating broader concurrency hardening around the API surface.

RemediationAI

Vendor-released patch: upgrade Pi-hole FTL to version 6.6.1 or later, available at https://github.com/pi-hole/FTL/releases/tag/v6.6.1, with full advisory details at https://github.com/pi-hole/FTL/security/advisories/GHSA-9ff5-f3v5-2xc7. Until the upgrade is applied, restrict access to the Pi-hole web admin interface (default TCP/80 and /admin path) to trusted management networks via firewall rules or by binding the embedded web server to localhost only, accepting that this disables remote administration; additionally, avoid keeping multiple concurrent admin browser sessions open simultaneously, since the race requires overlapping HTTP session activity, though this is operationally inconvenient rather than a hard fix. Do not rely on disabling the API while leaving the web UI exposed, as the underlying CivetWeb session subsystem is shared.

More in Ftl

View all
CVE-2026-35521 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary

CVE-2026-35520 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary

CVE-2026-35519 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via ne

CVE-2026-35518 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbit

CVE-2026-35517 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges

CVE-2022-30573 HIGH
8.8 Aug 09

The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL

CVE-2019-11209 HIGH
8.8 Aug 20

The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB

CVE-2018-12412 HIGH
8.8 Nov 06

The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2022-30574 HIGH
7.8 Aug 09

The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL

CVE-2021-28820 HIGH
7.8 Mar 23

The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In

CVE-2021-28819 HIGH
7.8 Mar 23

The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition

CVE-2021-35497 HIGH
7.5 Oct 05

The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO Active

Share

CVE-2026-44693 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy