AdGuard Home security update

psifertex · March 25, 2026, 11:44am

The adguard home 0.107.73 contains a critical update that fixes a critical security update. Is there an expected timeline for that to be updated in the plugin manager?

admon · March 25, 2026, 12:01pm

Updates of 3rd-party software will be handled by general firmware upgrades. There is no update via plugin manager for that. I recommend using [Script] Update AdGuard Home

will.qiu · March 26, 2026, 6:36am

Hi

It appears that, thanks to a different validation mechanism, AdGuard Home on our devices is not affected.

====================================================================
 AdGuardHome -- h2c Authentication Bypass PoC
 CWE-287: Full API access without credentials
====================================================================
 Target  : http://192.168.8.1:3000
 Upgrade : /control/login  (whitelisted public path)

[*] Connecting and performing h2c upgrade ...
[+] Bypass established -- authentication is not enforced

[*] GET /control/status
  [-] HTTP 403

[*] GET /control/querylog  (DNS query history)
  [-] HTTP 403

[*] GET /control/dhcp/status  (network device inventory)
  [-] HTTP 403

[*] POST /control/dns_config  (DNS -> 8.8.8.8)
  [-] HTTP 403: Forbidden

====================================================================
 Impact Summary
====================================================================
 READ  (always demonstrated):
   System version, DNS config, query log, DHCP leases

 WRITE (via flags):
   --hijack-dns <ip>       Network-wide DNS hijacking
   --disable-protection    Suspend all DNS blocking

 Root cause: internal/home/web.go:268-283
   h2c.NewHandler(innerMux_NO_AUTH, ...)
   auth.Wrap(h2cHandler)  <- auth only covers the HTTP/1.1 upgrade request

Refer:

psifertex · March 26, 2026, 10:54am

That makes sense given your own authentication proxy. I didn't think about that. Thanks for checking!

psifertex · March 26, 2026, 10:54am

I'm curious however. Doesn’t the plugin manager also have the ability to update plugins? Or do you just mean that because this particular plugin is installed by default it isn't upgradable there? It does seem a bit odd that it still shows up in the plugin manager given that.

admon · March 26, 2026, 5:37pm

The plugin manager can update, but the repositories are not updated on a regular basis. I'd go so far as to say they're not even updated.

48f5g · April 4, 2026, 11:13am

Hi,

do the openwrt24 firmware versions which usually come a few weaks after the gl-inet firmware updates, receive the same adguard home updates as gl-inets firmware versions get from time to time?

Are this steps which i found on reddit but i think they’ve been posted on this forum too, safe to use on both versions of the firmware, wether it is gl-net or operwrt? I don’t want to use the update script.

Here is the reddit post:

“this is how ive always update my openwrt glinet router adguard home

stop Adgurad Home from glinet interface

ssh 192.168.1.1 ## or whatever your router IP is
service adguardhome stop ## stop adguard & check with btop
AdGuardHome --update

start Adgurad Home from glinet interface

Thank you very much.