{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35491", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T20:49:44.454Z", "datePublished": "2026-04-07T15:00:11.079Z", "dateUpdated": "2026-04-07T17:52:48.043Z"}, "containers": {"cna": {"title": "Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration", "problemTypes": [{"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq"}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"version": ">= 6.0, < 6.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:00:11.079Z"}, "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates \u201cCLI\u201d API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6."}], "source": {"advisory": "GHSA-r7g8-3fj7-m5qq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-07T17:52:41.306420Z", "id": "CVE-2026-35491", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:52:48.043Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35491", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-07T17:52:41.306420Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T17:52:44.732Z"}}], "cna": {"title": "Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration", "source": {"advisory": "GHSA-r7g8-3fj7-m5qq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "pi-hole", "product": "FTL", "versions": [{"status": "affected", "version": ">= 6.0, < 6.6"}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq", "name": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates \u201cCLI\u201d API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863: Incorrect Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:00:11.079Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35491", "state": "PUBLISHED", "dateUpdated": "2026-04-07T17:52:48.043Z", "dateReserved": "2026-04-02T20:49:44.454Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:00:11.079Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*", "matchCriteriaId": "B6C2E10B-7CA2-4E8D-A474-B7980BF3FC2C", "versionEndExcluding": "6.6", "versionStartIncluding": "6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates \u201cCLI\u201d API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6."}], "id": "CVE-2026-35491", "lastModified": "2026-04-17T19:47:02.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T16:16:27.467", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.0,6.6)"}}], "enrichment": {"confidence": 88.0, "confidence_source": "matching", "scores": [{"score": 88.0, "source": "matching"}]}, "original": {"product": "FTL", "source": "cna", "vendor": "pi-hole"}, "product": "ftldns", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-07T23:24:12.880505+00:00", "value": {"mitigation_remediation": ["Upgrade Pi\u2011hole FTL to version 6.6 or later.", "If immediate upgrade is not possible, disable the /api/teleporter endpoint or restrict CLI password usage until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Configuration Modification"}, "threat_synthesis": {"affected_systems": "The affected product is Pi\u2011hole FTL versions 6.0 through 6.5 inclusive. Systems running those versions are vulnerable until updated to 6.6 or later.", "description_and_impact": "Pi\u2011hole FTL provides an interactive API that is intended to be read\u2011only for sessions created with a CLI password. The flaw allows those sessions to import Teleporter archives through the /api/teleporter endpoint, which can overwrite configuration settings. This results in unauthorized modifications of DNS and filtering options, potentially disrupting service or redirecting traffic.", "risk_and_exploitability": "The CVSS score of 6.1 indicates medium severity. EPSS information is not available and the issue is not listed in CISA's KEV catalog. Based on the description, the low effort required relies on possessing a CLI password; after gaining a CLI\u2011scoped session the attacker can call /api/teleporter with a malicious Teleporter archive to rewrite configuration. The vulnerability is fixed in version 6.6, so upgrading removes the risk."}}}}, "created": "2026-04-08T19:48:32.904568+00:00", "updated": "2026-04-09T08:24:18.820844+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$ftldns"]}