AdGuard Home security update

psifertex · March 25, 2026, 11:44am

The adguard home 0.107.73 contains a critical update that fixes a critical security update. Is there an expected timeline for that to be updated in the plugin manager?

admon · March 25, 2026, 12:01pm

Updates of 3rd-party software will be handled by general firmware upgrades. There is no update via plugin manager for that. I recommend using [Script] Update AdGuard Home

will.qiu · March 26, 2026, 6:36am

Hi

It appears that, thanks to a different validation mechanism, AdGuard Home on our devices is not affected.

====================================================================
 AdGuardHome -- h2c Authentication Bypass PoC
 CWE-287: Full API access without credentials
====================================================================
 Target  : http://192.168.8.1:3000
 Upgrade : /control/login  (whitelisted public path)

[*] Connecting and performing h2c upgrade ...
[+] Bypass established -- authentication is not enforced

[*] GET /control/status
  [-] HTTP 403

[*] GET /control/querylog  (DNS query history)
  [-] HTTP 403

[*] GET /control/dhcp/status  (network device inventory)
  [-] HTTP 403

[*] POST /control/dns_config  (DNS -> 8.8.8.8)
  [-] HTTP 403: Forbidden

====================================================================
 Impact Summary
====================================================================
 READ  (always demonstrated):
   System version, DNS config, query log, DHCP leases

 WRITE (via flags):
   --hijack-dns <ip>       Network-wide DNS hijacking
   --disable-protection    Suspend all DNS blocking

 Root cause: internal/home/web.go:268-283
   h2c.NewHandler(innerMux_NO_AUTH, ...)
   auth.Wrap(h2cHandler)  <- auth only covers the HTTP/1.1 upgrade request

Refer:

psifertex · March 26, 2026, 10:54am

That makes sense given your own authentication proxy. I didn't think about that. Thanks for checking!

psifertex · March 26, 2026, 10:54am

I'm curious however. Doesn’t the plugin manager also have the ability to update plugins? Or do you just mean that because this particular plugin is installed by default it isn't upgradable there? It does seem a bit odd that it still shows up in the plugin manager given that.

admon · March 26, 2026, 5:37pm

The plugin manager can update, but the repositories are not updated on a regular basis. I'd go so far as to say they're not even updated.