CVE-2026-32136: AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass

March 12, 2026

An unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided.

References

github.com/AdguardTeam/AdGuardHome
github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-5fg6-wrq4-w5gh
github.com/advisories/GHSA-5fg6-wrq4-w5gh
nvd.nist.gov/vuln/detail/CVE-2026-32136

Code Behaviors & Features

Detect and mitigate CVE-2026-32136 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →