AdGuard Home is a popular network-wide ad and tracking blocker that operates as a DNS proxy and filtering service. Versions prior to 0.107.73 contain a critical vulnerability (CVE-2026-32136) classified under CWE-287 (Improper Authentication). The vulnerability arises from the way AdGuard Home handles HTTP/2 cleartext (h2c) upgrade requests. When an unauthenticated attacker sends an HTTP/1.1 request requesting an upgrade to HTTP/2 cleartext, the server accepts and switches to HTTP/2. However, the internal HTTP/2 connection handler (inner mux) lacks authentication middleware, effectively bypassing all authentication checks for subsequent HTTP/2 requests on that connection. This allows the attacker to perform any administrative or privileged operations without credentials, compromising the confidentiality, integrity, and availability of the system. The vulnerability is remotely exploitable without any user interaction or privileges, making it highly dangerous. The issue was addressed and fixed in AdGuard Home version 0.107.73. Although no known exploits have been reported in the wild yet, the vulnerability's characteristics and CVSS score of 9.8 indicate it is critical and likely to be targeted.

The impact of CVE-2026-32136 is severe for organizations deploying vulnerable versions of AdGuard Home. Attackers can gain unauthorized administrative access remotely without authentication, enabling them to alter DNS filtering rules, disable protections, redirect traffic, or exfiltrate sensitive information. This compromises network security, user privacy, and can facilitate further attacks such as malware distribution or data interception. The integrity of DNS filtering policies and availability of the service can be disrupted, potentially causing denial of service or exposure to malicious content. Organizations relying on AdGuard Home for network-wide ad blocking and privacy protection face significant risk of compromise, data leakage, and operational disruption. The ease of exploitation and lack of required privileges or user interaction increase the likelihood of attacks, especially in exposed network environments.

To mitigate this vulnerability, organizations should immediately upgrade all AdGuard Home instances to version 0.107.73 or later, where the authentication bypass is fixed. Until upgrades can be applied, restrict network access to AdGuard Home's management interfaces using firewall rules or network segmentation to allow only trusted administrators. Disable HTTP/2 cleartext (h2c) upgrade requests if configurable, or deploy reverse proxies that enforce authentication before forwarding requests to AdGuard Home. Monitor network traffic for unusual HTTP/2 upgrade attempts and unauthorized administrative actions. Regularly audit and review DNS filtering configurations for unauthorized changes. Implement strong network perimeter defenses and intrusion detection systems to detect and block exploitation attempts. Maintain up-to-date backups of configuration data to enable recovery in case of compromise.