A critical path traversal flaw lets unauthenticated attackers gain full admin access on AdGuard Home instances launched with the --glinet flag.
What Is It
CVE-2026-41448 is an authentication bypass vulnerability (CWE-22, path traversal) in AdGuard Home when it is started with the --glinet flag. The authglinet middleware constructs the token file path using unsanitized string concatenation. By supplying a path traversal sequence in the Admin-Token cookie, an attacker can redirect file reads to arbitrary paths, bypassing authentication entirely. A crafted request carrying a traversal payload in the Admin-Token header grants the attacker full administrative access without any credentials.
Why It Matters
The flaw carries a CVSS 3.1 base score of 9.4 (CRITICAL) (vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), with a secondary CVSS 4.0 score of 9.2. It is network-reachable, requires low attack complexity, no privileges, and no user interaction. Successful exploitation yields high confidentiality and integrity impact; effectively complete admin takeover of the affected DNS/ad-filtering appliance, which sits in a privileged position over network traffic.
What's Vulnerable
AdGuard Home instances run with the --glinet flag are affected. This flag is associated with GL.iNet router deployments. Instances not started with --glinet do not invoke the vulnerable authglinet middleware path. The fix is included in AdGuard Home release v0.107.77.
Patch Status
A patched release, AdGuard Home v0.107.77, is available. Administrators running with the --glinet flag should upgrade to v0.107.77 or later. The supplied source material contains no CISA KEV entry for this CVE, so there is no confirmation of active exploitation in the provided data.