Flaw in Pi-hole, the Popular Ad Blocker: Someone on Your Network Can Hijack the Admin Panel Without a Password, CVE-2026-44693, Update to v6.6.1

A third party on the same network can hijack the entire admin panel without a password──a flaw like this has been found in "FTL," the core engine of Pi-hole, the ad and tracker blocker widely used in homes and offices. It is CVE-2026-44693, rated CVSS 8.8 (High).

Pi-hole is a network-level ad blocker that filters ads, trackers, and unwanted destinations across an entire home or office network. Installed on a Raspberry Pi or a small server, it is a go-to tool used worldwide, from self-hosting (homelab) enthusiasts to small businesses. This issue lies behind its web admin interface, in the mechanism that manages a user's logged-in state (the session).

Specifically, when an attacker on the same network floods it with concurrent requests while an administrator is operating the web interface, they can steal the administrator's login token (session ID) and slip in as the administrator without ever knowing the password. With Pi-hole admin privileges, an attacker can rewrite the whole network's DNS (the system that decides how and where you connect), silently disable ad and threat blocking, and snoop on the entire household's or office's browsing history. A fix is already out: updating Pi-hole FTL to v6.6.1 or later closes it. Check the official advisory and apply it now if you haven't already.

What Pi-hole Is, and Why Losing the Admin Panel Endangers the Whole Home or Office

Pi-hole sits at the network's "DNS" position (the phone-book-like system that turns domain names into actual destinations) and blocks queries to ad servers, trackers, and dangerous sites all at once. Its appeal is that it can block ads and tracking for every device behind the router without installing a separate app on each one, and running it permanently on a Raspberry Pi is the classic setup. At its core is "FTL," the engine that handles DNS processing and statistics; settings are made from a browser-based web admin panel.

What matters here is that Pi-hole is the checkpoint directing all of the network's traffic. Because every device's name resolution (which site you connect to) passes through Pi-hole, whoever holds its admin privileges can freely rewrite where the network goes — for example, pointing a bank's domain to a fake site, or rerouting traffic to internal systems through a wiretap. On top of that, Pi-hole records the full query history of which device connected to which domain and when, so the admin panel is itself a "treasure trove of the home's or office's activity logs."

This flaw lets someone pass through that checkpoint's entrance (the web admin login) without a valid password. "Authentication," one of the heaviest layers of defense, is walked right past under the right conditions. Pi-hole has previously seen issues akin to intrusion via the configuration of home-network tools, and the more central it is to a home or small office network, the higher the value of attacking it.

Are You Affected? Tell by Version and Situation

This flaw was introduced in v6.0, the version that heavily rewrote Pi-hole FTL. The version you run determines whether you are in scope.

The fixed v6.6.1 was released on April 24, 2026. Note that Pi-hole does not auto-update; the user manually runs pihole -up to update. "Set it and forget it" installs never pulled in the April fix, and now that the details are public as a CVE, the v6.0–v6.6.0 installs left unpatched are easier targets. Since the attack assumes "the attacker is on the same network and an administrator is actively using the web UI," the risk rises on networks where guests or many unknown parties connect.

While the Admin Is Logged In, Someone on the Same Network Lifts the Key

Let's picture who triggers this flaw. The condition is "the attacker is on the same network, overlapping the moment an administrator is operating the web interface." The threat is not someone in a distant country, but a visitor or housemate invited onto your home Wi-Fi, a disgruntled employee sitting on the office LAN, or malware that has already burrowed into one phone or IoT device and is looking to move laterally. What they want is the session ID to impersonate the Pi-hole admin, the control over the whole network's DNS that comes with it, and the activity history of which device viewed which site.

All they do is flood public pages with concurrent requests while the admin is touching the web interface. They read the login cookie (session ID) meant only for the administrator as the response to their own request, and obtain the admin's key with no password and no login. The consequences run deep. The admin can freely change DNS settings — pointing a specific domain to a fake site, silently turning off ad and threat blocking, reading the entire query history. There have even been past cases of the server itself being taken over via configuration, so seizing admin privilege also becomes a foothold for the next intrusion.

What makes it nasty for defenders is that this succeeds from inside the network, with no special privileges. The more a line is one that visitors or many unknown parties join, the more easily the precondition is met.

The number CVSS 8.8 is just a label for high technical severity. What truly frightens those who have trusted Pi-hole as the gatekeeper of a home or small office network is that gatekeeper being impersonated, without a password, by someone in the same room on the same wire, who then runs the traffic from behind the scenes. Lose the center of your defense, and every device behind it falls within the attacker's reach.

A Technical Look at CVE-2026-44693: Where and What Happens

CVE-2026-44693 is a race condition (CWE-362) in the HTTP session management of the web server (CivetWeb) embedded in Pi-hole FTL. The cause is that a global variable for response headers, pi_hole_extra_headers, introduced during the major v6.0 rewrite, was shared across 50 CivetWeb worker threads without any mutual exclusion. Because multiple threads read and write the same buffer at once, a state arose where the Set-Cookie header one thread built for an administrator could be read by a thread handling a different request.

The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. No authentication is required (PR:N), and confidentiality, integrity, and availability all suffer severe impact (C:H/I:H/A:H). Triggering it needs "an administrator actively using the web interface (UI:R)" and a burst of concurrent requests to create a favorable timing window — both conditions the attacker can actively engineer. According to the official advisory (GHSA-9ff5-f3v5-2xc7), this was reported by the researcher T0X1Cx, and the fixed v6.6.1 eliminates the race by making the shared buffer thread-local and adding a mutex to session management.

Impact and Response Cheat Sheet

As of publication, this CVE is not listed in CISA KEV (the catalog of vulnerabilities confirmed exploited in the wild), and no actual exploitation has been reported. That said, the fix itself has been out since April, and now that the details are public as a CVE, unpatched environments are the most at risk. Pi-hole's DNS engine FTL is a product based on the widely used dnsmasq, often running as the backbone of homes and small networks, where it tends to be left untouched.

What Users Should Do Now

In priority order. This is for every home and organization running Pi-hole.

1. Update Pi-hole immediately. This is the only essential fix. From the admin panel or the command line, run pihole -up and raise FTL to v6.6.1 or later (ideally the latest v6.6.2). It does not update on its own, so check any install you haven't touched in a while right now.

2. Restrict who can reach the web admin panel. The attack assumes "the ability to flood the admin panel from the same network." If you are exposing Pi-hole's web admin (ports 80/443) directly to the internet, stop immediately and limit it to a trusted internal network or access via VPN only.

3. Separate visitors on the network. Keeping a guest Wi-Fi or smart-home appliances off the same network as your management devices (isolation via a guest network or VLAN) breaks the very precondition of "an attacker on the same network."

4. Consider resetting the admin password. In environments where you cannot rule out that a session was already stolen, change the admin password after updating and invalidate existing login sessions, to be safe. Also check for any configuration changes you don't recognize.

Timeline

In Summary: The Network's Gatekeeper Impersonated by Someone in the Same Room

What CVE-2026-44693 lays bare is that Pi-hole's admin panel — the "gatekeeper" directing the whole network's traffic — can be seized without a password by someone on the same network. The cause was a humble but fatal implementation mistake: during a major rewrite of the web server, the mutual exclusion on a buffer shared across threads was missing. Take the gatekeeper's privileges, and the destinations and browsing history of every device behind it pass into the attacker's hands.

What to do is clear: update Pi-hole to v6.6.1 or later (the latest is v6.6.2) right now, isolate the web admin panel from the outside and from guest networks, and check for any configuration changes you don't recognize. Even though the fix has been out since April, the manual-update model means Pi-hole tends to be left alone — that's its Achilles' heel. Now that the details are public as a CVE, this is the moment to check that home or office Pi-hole you haven't touched in a while.

References

• ▸NVD - CVE-2026-44693 (Pi-hole FTL session management race condition)
• ▸Pi-hole FTL official security advisory (GHSA-9ff5-f3v5-2xc7)
• ▸Pi-hole FTL v6.6.1 release notes (April 24, 2026)
• ▸Pi-hole blog - FTL v6.6.1 and Core v6.4.2 Released
• ▸CWE-362 - Race Condition
• ▸Pi-hole official site
• ▸CISA KEV Catalog