Pi-hole: Local privilege escalation via config-controlled path in root-executed service...

8.8 / 10

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Description

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.

AI Analysis

Local privilege escalation via config-controlled path in root-executed service hooks

Basic Information

ID CVE-2026-41489

Source GitHub_M

Published May 11, 2026 at 20:21

Affected Product

Vendor pi-hole

Product pi-hole

Version >= 6.0, < 6.4.2

Affected Versions pi-hole pi-hole >= 6.0, < 6.4.2

CWE Classification

CWE-732 CWE-269 CWE-15

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Pi-hole

Product Pi-hole

Version 6.0 to 6.4.2

References

github.com /pi-hole/pi-hole/security/advisories/GHSA-6w8x-p785-6pm4

{
    "lastseen": "",
    "description": "Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to before Core 6.4.2 and FTL 6.6.1, two shell scripts executed as root by systemd (pihole-FTL-prestart.sh and pihole-FTL-poststop.sh) read the files.pid path from this config without validation and use it in privileged file operations (install and rm -f). By writing an arbitrary path into files.pid, an attacker with pihole privilege can cause root to delete and then recreate any file on the system outside the ProtectSystem=full-restricted directories, gaining write access to it. On a default Pi-hole installation this yields local privilege escalation to root via SSH authorized keys manipulation. If /root/.ssh/authorized_keys does not exist (default on fresh installs), only ExecStartPre is required. If the file exists, ExecStopPost deletes it first, and the same restart triggers both hooks in sequence. This vulnerability is fixed in Core 6.4.2 and FTL 6.6.1.",
    "published": "2026-05-11T20:21:38.905Z",
    "modified": "2026-05-11T20:21:38.905Z",
    "type": "cve",
    "title": "Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks",
    "source": "GitHub_M",
    "references": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-6w8x-p785-6pm4",
    "id": "CVE-2026-41489",
    "bulletinFamily": "",
    "cwe": [
        "CWE-732",
        "CWE-269",
        "CWE-15"
    ],
    "cvelist": null,
    "sourceData": "pi-hole pi-hole >= 6.0, < 6.4.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "pi-hole",
    "version": ">= 6.0, < 6.4.2",
    "vendor": "pi-hole",
    "ai_description": "Local privilege escalation via config-controlled path in root-executed service hooks",
    "ai_severity": "High",
    "ai_vendor": "Pi-hole",
    "ai_product": "Pi-hole",
    "ai_version": "6.0 to 6.4.2",
    "ai_score": 8.8
}

Pi-hole: Local privilege escalation via config-controlled path in root-executed service hooks_CVE-2026-41489