Pi-hole FTL CVE-2026-44693
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Network-reachable admin UI (AV:N), no auth needed by attacker (PR:N), but UI:R for concurrent admin activity and AC:H since race-window timing is non-trivial; full session compromise yields C/I/A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker. Prior to version 6.6.1, Pi-hole FTL contains a race condition vulnerability in the HTTP session management subsystem, introduced with the v6.0 rewrite of the embedded CivetWeb-based web server. This issue has been patched in version 6.6.1.
AnalysisAI
Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session management subsystem introduced during the v6.0 rewrite. Remote attackers can leverage concurrent requests to compromise web admin session state, potentially gaining high-impact access (C:H/I:H/A:H per CVSS 8.8) to the DNS sinkhole and network filtering controls. No public exploit identified at time of analysis, but vendor has published an upstream fix in v6.6.1.
Technical ContextAI
Pi-hole FTL (Faster Than Light) is the C-based daemon at the heart of Pi-hole, handling DNS resolution, query logging, and the embedded administrative web interface. Since version 6.0, the project replaced its prior web stack with CivetWeb, an embedded HTTP server library, and the HTTP session management code introduced in that rewrite contains a CWE-362 concurrent-execution race condition. Race conditions in session subsystems typically arise from unsynchronized access to session token tables, cookie-to-session mappings, or per-session state structures, where two concurrent requests can interleave reads and writes such that one client observes or hijacks another's session context. The v6.6.1 release notes corroborate this, citing PR #2835 'thread-safety issues causing SIGSEGV under concurrent API load,' PR #2833 'rare race condition for SHM strings in API handlers,' and PR #2847 'thread-safety for concurrent API requests,' indicating broader concurrency hardening around the API surface.
RemediationAI
Vendor-released patch: upgrade Pi-hole FTL to version 6.6.1 or later, available at https://github.com/pi-hole/FTL/releases/tag/v6.6.1, with full advisory details at https://github.com/pi-hole/FTL/security/advisories/GHSA-9ff5-f3v5-2xc7. Until the upgrade is applied, restrict access to the Pi-hole web admin interface (default TCP/80 and /admin path) to trusted management networks via firewall rules or by binding the embedded web server to localhost only, accepting that this disables remote administration; additionally, avoid keeping multiple concurrent admin browser sessions open simultaneously, since the race requires overlapping HTTP session activity, though this is operationally inconvenient rather than a hard fix. Do not rely on disabling the API while leaving the web UI exposed, as the underlying CivetWeb session subsystem is shared.
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via ne
Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbit
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB
The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In
The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition
The FTL Server (tibftlserver) and Docker images containing tibftlserver components of TIBCO Software Inc.'s TIBCO Active
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today