AdGuard Home critical patch
A critical AdGuard Home vulnerability (CVE‑2026‑32136) lets attackers bypass authentication — a hotfix was released and network admins are urged to patch immediately if they use AdGuard Home for DNS filtering or network ad‑blocking advisory. Unpatched instances expose your whole LAN to remote control and configuration changes, so prioritize the emergency update.
Affected installs are any AdGuard Home release older than 0.107.73 — the fix is packaged as version 0.107.73 in the project’s GitHub release notes. github.com The root cause is an HTTP/2 cleartext (h2c) upgrade flow: the h2c handler hands off connections to an inner request mux that was created without the authentication middleware (incorrect middleware ordering), a logic path documented in the advisory and confirmed in the patch analysis. github.com The flaw carries a CVSS v3.1 score of 9.8 and allows an unauthenticated remote attacker to send an HTTP/1.1 Upgrade: h2c request that leads to subsequent HTTP/2 requests being treated as fully authenticated. github.com AdGuard pushed the patched binaries and Docker images with VCS_REF c003e9f9c04311a13ca7a873a8437f80711102a5 and a build date of March 10, 2026; the project changelog and Docker Hub manifest reflect the 0.107.73 release. adguard.com
