Skip to main content

Ftl EUVDEUVD-2026-19676

| CVE-2026-35491 MEDIUM
Incorrect Authorization (CWE-863)
2026-04-07 GitHub_M
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
6.6
EUVD ID Assigned
Apr 07, 2026 - 15:30 euvd
EUVD-2026-19676
Analysis Generated
Apr 07, 2026 - 15:30 vuln.today
CVE Published
Apr 07, 2026 - 15:00 nvd
MEDIUM 6.1

DescriptionGitHub Advisory

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.

AnalysisAI

Pi-hole FTL versions 6.0 through 6.5 allow authenticated local users with CLI API session privileges to bypass authorization controls and overwrite configuration settings via Teleporter archive imports. The vulnerability exists because the /api/teleporter endpoint incorrectly permits CLI-scoped sessions (intended to be read-only) to execute privileged Teleporter operations, while the /api/config endpoint correctly enforces restrictions. This authentication bypass is fixed in Pi-hole FTL 6.6.

Technical ContextAI

Pi-hole FTL is the DNS/DHCP server component of Pi-hole that provides both an interactive API and statistical data for the Web interface. The vulnerability stems from inconsistent authorization enforcement across API endpoints. The webserver.api.cli_pw configuration feature creates CLI-scoped API sessions that should be restricted to read-only operations for configuration queries. However, the /api/teleporter endpoint fails to validate session scope before processing Teleporter archive uploads, allowing CLI sessions to import configuration archives that modify system state. This is classified as CWE-863 (Incorrect Authorization), indicating that the authorization check was either missing or improperly implemented at the Teleporter endpoint. The affected product is identified by CPE cpe:2.3:a:pi-hole:ftl:*:*:*:*:*:*:*:* for all versions from 6.0 to 6.5.

RemediationAI

Upgrade Pi-hole FTL to version 6.6 or later, which includes proper authorization checks for the /api/teleporter endpoint. Users unable to immediately patch should restrict the assignment of CLI API credentials to trusted users only and monitor API access logs for unexpected Teleporter import requests. If webserver.api.cli_pw is not in active use, disabling the CLI password feature eliminates the attack surface. Consult the official security advisory at https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq for detailed upgrade instructions and confirmation of patched versions.

More in Ftl

View all
CVE-2026-35521 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to execute arbitrary

CVE-2026-35520 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers to inject arbitrary

CVE-2026-35519 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL 6.0 through 6.5 allows authenticated attackers to execute arbitrary commands via ne

CVE-2026-35518 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL DNS engine versions 6.0 through 6.5 allows authenticated attackers to execute arbit

CVE-2026-35517 HIGH
8.8 Apr 07

Remote code execution in Pi-hole FTL engine versions 6.0 through 6.5 allows authenticated attackers with low privileges

CVE-2026-44693 HIGH
8.8 Jun 10

Session hijacking in Pi-hole FTL versions prior to 6.6.1 stems from a race condition in the CivetWeb-based HTTP session

CVE-2022-30573 HIGH
8.8 Aug 09

The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL

CVE-2019-11209 HIGH
8.8 Aug 20

The realm configuration component of TIBCO Software Inc.'s TIBCO FTL Community Edition, TIBCO FTL Developer Edition, TIB

CVE-2018-12412 HIGH
8.8 Nov 06

The realm server (tibrealmserver) component of TIBCO Software Inc. Rated high severity (CVSS 8.8), this vulnerability is

CVE-2022-30574 HIGH
7.8 Aug 09

The ftlserver component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition, TIBCO FTL

CVE-2021-28820 HIGH
7.8 Mar 23

The FTL Server (tibftlserver), FTL C API, FTL Golang API, FTL Java API, and FTL .Net API components of TIBCO Software In

CVE-2021-28819 HIGH
7.8 Mar 23

The Windows Installation component of TIBCO Software Inc.'s TIBCO FTL - Community Edition, TIBCO FTL - Developer Edition

Share

EUVD-2026-19676 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy