CVE-2026-41448

AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path construction within the authglinet middleware. Attackers can craft a request with a traversal payload in the Admin-Token header to redirect file reads to arbitrary paths.
Configurations

No configuration.

History

08 Jun 2026, 17:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-08 17:16

Updated : 2026-07-14 21:16


NVD link : CVE-2026-41448

Mitre link : CVE-2026-41448

CVE.ORG link : CVE-2026-41448


JSON object : View

Products Affected

No product.

CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')