This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis →
Q1What is this vulnerability? (Essence + Consequences)
🚨 **Essence**: Auth Bypass via HTTP/2 Upgrade. Attackers send requests to upgrade to **HTTP/2 plaintext**. 🛡️ **Consequence**: All subsequent HTTP/2 requests are treated as **fully authenticated**.…
🔍 **CWE-287**: Improper Authentication. The flaw lies in **unverified remote attackers** triggering the upgrade. The system fails to validate identity *before* accepting the HTTP/2 connection state.
Q3Who is affected? (Versions/Components)
📦 **Vendor**: AdguardTeam. 📦 **Product**: AdGuardHome. ⚠️ **Affected**: Versions **before 0.107.73**. If you are running an older build, you are vulnerable.
Q4What can hackers do? (Privileges/Data)
💀 **Privileges**: Full Admin Access. 📂 **Data**: Complete Read/Write/Modify. Since auth is bypassed, hackers can control the entire network ad-blocking logic and settings.
Q5Is exploitation threshold high? (Auth/Config)
📉 **Threshold**: **LOW**. CVSS: **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privs needed). No user interaction required. Just send a specific request.
Q6Is there a public Exp? (PoC/Wild Exploitation)
🚫 **Public Exp**: No PoC listed in data. However, the mechanism (HTTP/2 upgrade bypass) is theoretically straightforward to script. High risk of wild exploitation.
Q7How to self-check? (Features/Scanning)
🔎 **Self-Check**: Scan for AdGuardHome instances. Check version number. If < **0.107.73**, you are at risk. Look for HTTP/2 upgrade endpoints in network traffic.
Q8Is it fixed officially? (Patch/Mitigation)
✅ **Fixed**: Yes. Official advisory: **GHSA-5fg6-wrq4-w5gh**. Patch released in version **0.107.73**. Update immediately to the latest stable release.
Q9What if no patch? (Workaround)
🛡️ **Workaround**: If you cannot patch, **disable HTTP/2** support on the server. Force HTTP/1.1 only. This removes the attack vector entirely until you can upgrade.
Q10Is it urgent? (Priority Suggestion)
🔥 **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.0+). Network-accessible, no auth needed. Patch **NOW**. Do not wait.