CVE-2026-32136 — AI Deep Analysis Summary

🚨 **Essence**: Auth Bypass via HTTP/2 Upgrade. Attackers send requests to upgrade to **HTTP/2 plaintext**. 🛡️ **Consequence**: All subsequent HTTP/2 requests are treated as **fully authenticated**.…

🔍 **CWE-287**: Improper Authentication. The flaw lies in **unverified remote attackers** triggering the upgrade. The system fails to validate identity *before* accepting the HTTP/2 connection state.

📦 **Vendor**: AdguardTeam. 📦 **Product**: AdGuardHome. ⚠️ **Affected**: Versions **before 0.107.73**. If you are running an older build, you are vulnerable.

💀 **Privileges**: Full Admin Access. 📂 **Data**: Complete Read/Write/Modify. Since auth is bypassed, hackers can control the entire network ad-blocking logic and settings.

📉 **Threshold**: **LOW**. CVSS: **AV:N** (Network), **AC:L** (Low Complexity), **PR:N** (No Privs needed). No user interaction required. Just send a specific request.

🚫 **Public Exp**: No PoC listed in data. However, the mechanism (HTTP/2 upgrade bypass) is theoretically straightforward to script. High risk of wild exploitation.

🔎 **Self-Check**: Scan for AdGuardHome instances. Check version number. If < **0.107.73**, you are at risk. Look for HTTP/2 upgrade endpoints in network traffic.

✅ **Fixed**: Yes. Official advisory: **GHSA-5fg6-wrq4-w5gh**. Patch released in version **0.107.73**. Update immediately to the latest stable release.

🛡️ **Workaround**: If you cannot patch, **disable HTTP/2** support on the server. Force HTTP/1.1 only. This removes the attack vector entirely until you can upgrade.

🔥 **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.0+). Network-accessible, no auth needed. Patch **NOW**. Do not wait.