AdGuard Home is a popular network-wide software solution designed to block ads and tracking across all devices on a network. The vulnerability identified as CVE-2026-32136 (CWE-287: Improper Authentication) affects versions of AdGuard Home prior to 0.107.73. The flaw arises from the way the software handles HTTP protocol upgrades. Specifically, when an attacker sends an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c), the server accepts the upgrade and switches to HTTP/2. However, the HTTP/2 connection is managed by an internal multiplexer that does not enforce any authentication middleware. As a result, all subsequent HTTP/2 requests on that connection are treated as fully authenticated, regardless of whether any credentials were provided. This means an unauthenticated remote attacker can bypass all authentication mechanisms and gain unrestricted access to the AdGuard Home interface and its administrative functions. The vulnerability has a CVSS v3.1 score of 9.8, indicating critical severity, with attack vector network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no known exploits are reported in the wild yet, the ease of exploitation and the critical impact make this a significant threat. The issue was publicly disclosed on March 11, 2026, and fixed in version 0.107.73. Users running earlier versions are strongly advised to upgrade to mitigate this risk.

The impact of this vulnerability is severe for organizations using AdGuard Home versions prior to 0.107.73. An attacker exploiting this flaw can gain full administrative access without authentication, allowing them to modify filtering rules, disable protections, inject malicious content, or disrupt network-wide ad-blocking services. This compromises the confidentiality of network traffic by potentially allowing tracking or data leakage, the integrity of filtering policies by unauthorized modification, and the availability of the service by disabling or corrupting it. Since AdGuard Home is often deployed in home networks, small businesses, and some enterprise environments to enhance privacy and security, this vulnerability could lead to widespread exposure to ads, trackers, malware, or other malicious content. The lack of authentication also means attackers can pivot from this foothold to launch further attacks within the network, increasing the overall risk. The vulnerability’s network-based attack vector and no requirement for user interaction make it highly exploitable, potentially affecting a broad range of users globally.

The primary and most effective mitigation is to upgrade AdGuard Home to version 0.107.73 or later, where this vulnerability is fixed. Organizations should immediately audit their deployments to identify any instances running vulnerable versions and prioritize patching. Until upgrades can be applied, network administrators should consider restricting access to the AdGuard Home management interface to trusted IP addresses only, using firewall rules or network segmentation to limit exposure. Additionally, monitoring network traffic for unusual HTTP/2 upgrade requests or unexpected HTTP/2 connections to the AdGuard Home server may help detect exploitation attempts. Employing intrusion detection/prevention systems (IDS/IPS) with custom signatures for this attack vector can provide additional defense. Finally, organizations should review and enforce strong network access controls and consider isolating critical infrastructure components to reduce the blast radius of potential compromises.