AdGuard Home Authentication Bypass via Path Traversal in Admin-Token Cookie

Advisories

AdGuard Home Authentication Bypass via Path Traversal in Admin-Token Cookie

severity: critical
date: 6/8/2026
Affecting: AdGuardHome < 0.107.77
CVE: CVE-2026-41448
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSS: 9.2
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References: Release Notes
Credit: djnn
Description: AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo