Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.
AnalysisAI
Pi-hole FTL versions 6.0 through 6.5 allow authenticated local users with CLI API session privileges to bypass authorization controls and overwrite configuration settings via Teleporter archive imports. The vulnerability exists because the /api/teleporter endpoint incorrectly permits CLI-scoped sessions (intended to be read-only) to execute privileged Teleporter operations, while the /api/config endpoint correctly enforces restrictions. This authentication bypass is fixed in Pi-hole FTL 6.6.
Technical ContextAI
Pi-hole FTL is the DNS/DHCP server component of Pi-hole that provides both an interactive API and statistical data for the Web interface. The vulnerability stems from inconsistent authorization enforcement across API endpoints. The webserver.api.cli_pw configuration feature creates CLI-scoped API sessions that should be restricted to read-only operations for configuration queries. However, the /api/teleporter endpoint fails to validate session scope before processing Teleporter archive uploads, allowing CLI sessions to import configuration archives that modify system state. This is classified as CWE-863 (Incorrect Authorization), indicating that the authorization check was either missing or improperly implemented at the Teleporter endpoint. The affected product is identified by CPE cpe:2.3:a:pi-hole:ftl:*:*:*:*:*:*:*:* for all versions from 6.0 to 6.5.
RemediationAI
Upgrade Pi-hole FTL to version 6.6 or later, which includes proper authorization checks for the /api/teleporter endpoint. Users unable to immediately patch should restrict the assignment of CLI API credentials to trusted users only and monitor API access logs for unexpected Teleporter import requests. If webserver.api.cli_pw is not in active use, disabling the CLI password feature eliminates the attack surface. Consult the official security advisory at https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq for detailed upgrade instructions and confirmation of patched versions.
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary
Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via ne
Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbit
Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges
Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB
The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is
The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL
The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In
The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19676