{"id":"CVE-2026-32136","summary":"AdGuard Home: HTTP/2 Cleartext (h2c) Upgrade Authentication Bypass","details":"AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.73, an unauthenticated remote attacker can bypass all authentication in AdGuardHome by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is handled by the inner mux, which has no authentication middleware attached. All subsequent HTTP/2 requests on that connection are processed as fully authenticated, regardless of whether any credentials were provided. This vulnerability is fixed in 0.107.73.","aliases":["GHSA-5fg6-wrq4-w5gh","GO-2026-4686"],"modified":"2026-04-10T05:42:20.895976Z","published":"2026-03-11T21:42:31.422Z","related":["SUSE-SU-2026:1042-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32136.json","cwe_ids":["CWE-287"],"cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/AdguardTeam/AdGuardHome/security/advisories/GHSA-5fg6-wrq4-w5gh"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32136.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-32136"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/adguardteam/adguardhome","events":[{"introduced":"0"},{"fixed":"c003e9f9c04311a13ca7a873a8437f80711102a5"}]}],"versions":["v0.1","v0.100.0","v0.100.1","v0.100.2","v0.100.3","v0.100.4","v0.100.5","v0.100.6","v0.100.7","v0.100.8","v0.100.9","v0.101.0","v0.102.0","v0.103.0","v0.103.0-beta1","v0.103.0-beta2","v0.103.0-beta3","v0.103.1","v0.103.2","v0.103.3","v0.104.0","v0.104.0-beta1","v0.104.0-beta2","v0.104.0-beta3","v0.104.1","v0.105.0","v0.105.0-beta.3","v0.105.0-beta.4","v0.105.0-beta.5","v0.105.1","v0.105.1-beta.1","v0.105.2","v0.105.2-beta.1","v0.106.0","v0.106.0-b.1","v0.106.0-b.2","v0.106.0-b.3","v0.106.0-b.4","v0.106.0-b.5","v0.107.0","v0.107.0-b.1","v0.107.0-b.10","v0.107.0-b.11","v0.107.0-b.12","v0.107.0-b.13","v0.107.0-b.14","v0.107.0-b.15","v0.107.0-b.16","v0.107.0-b.17","v0.107.0-b.2","v0.107.0-b.3","v0.107.0-b.4","v0.107.0-b.5","v0.107.0-b.6","v0.107.0-b.7","v0.107.0-b.8","v0.107.0-b.9","v0.107.1","v0.107.10","v0.107.11","v0.107.12","v0.107.13","v0.107.14","v0.107.15","v0.107.16","v0.107.17","v0.107.18","v0.107.19","v0.107.2","v0.107.20","v0.107.21","v0.107.22","v0.107.23","v0.107.24","v0.107.25","v0.107.26","v0.107.27","v0.107.28","v0.107.29","v0.107.3","v0.107.30","v0.107.31","v0.107.32","v0.107.33","v0.107.34","v0.107.35","v0.107.36","v0.107.37","v0.107.38","v0.107.39","v0.107.4","v0.107.40","v0.107.41","v0.107.42","v0.107.43","v0.107.44","v0.107.45","v0.107.46","v0.107.47","v0.107.48","v0.107.49","v0.107.5","v0.107.50","v0.107.51","v0.107.52","v0.107.53","v0.107.54","v0.107.55","v0.107.56","v0.107.57","v0.107.58","v0.107.59","v0.107.6","v0.107.60","v0.107.61","v0.107.62","v0.107.63","v0.107.64","v0.107.65","v0.107.66","v0.107.67","v0.107.68","v0.107.69","v0.107.7","v0.107.70","v0.107.71","v0.107.72","v0.107.8","v0.107.9","v0.9","v0.9-hotfix1","v0.91","v0.92","v0.92-hotfix1","v0.92-hotfix2","v0.93","v0.95","v0.95-hotfix","v0.96","v0.96-hotfix","v0.97.0","v0.97.1","v0.98.0","v0.98.1","v0.99.0","v0.99.1","v0.99.2","v0.99.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32136.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}