CVE-2026-35491 — Authorization Bypass in Pi-hole FTL via Teleporter Endpoint
Summary Field Value CVE ID CVE-2026-35491 Advisory GHSA-r7g8-3fj7-m5qq Vulnerability Type Authorization Bypass CWE CWE-863: Incorrect Authorization Attack Vector Local CVSS v3.1 Base Score 6.1 (Medium) CVSS v3.1 Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L Affected Versions Pi-hole FTL >= 6.0 through 6.5 Patched Version 6.6 Discovered By Mohammed Alzahrani Description Pi-hole FTL versions 6.0 through 6.5 contain an authorization bypass in the Teleporter import endpoint. CLI-scoped API sessions — intended for read-only operations — are properly rejected by /api/config with HTTP 403, but the /api/teleporter endpoint lacks equivalent authorization checks. ...