{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33727", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-23T17:34:57.560Z", "datePublished": "2026-04-06T15:02:19.693Z", "dateUpdated": "2026-04-07T03:56:00.238Z"}, "containers": {"cna": {"title": "Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).", "problemTypes": [{"descriptions": [{"cweId": "CWE-269", "lang": "en", "description": "CWE-269: Improper Privilege Management", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74"}], "affected": [{"vendor": "pi-hole", "product": "pi-hole", "versions": [{"version": ">= 6.4, < 6.4.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-06T15:02:19.693Z"}, "descriptions": [{"lang": "en", "value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1."}], "source": {"advisory": "GHSA-c935-8g63-qp74", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2026-33727"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-07T03:56:00.238Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1."}], "id": "CVE-2026-33727", "lastModified": "2026-04-06T16:16:33.987", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.5, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-06T16:16:33.987", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/pi-hole/pi-hole/security/advisories/GHSA-c935-8g63-qp74"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[6.4,6.4.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "pi-hole", "source": "cna", "vendor": "pi-hole"}, "product": "pi-hole", "vendor": "pi-hole"}], "analysis": {"en": {"generated_at": "2026-04-06T17:39:41.310155+00:00", "value": {"mitigation_remediation": ["Update Pi\u2011hole to version\u202f6.4.1 or later to apply the fixed patch.", "Verify the integrity of the /etc/pihole/versions file and other Pi\u2011hole configuration files, ensuring they have not been tampered with.", "Restrict write access to /etc/pihole/versions by setting appropriate permissions or using AppArmor/SELinux policies to prevent non\u2011root writes."], "summary": {"action": "Apply patch", "impact": "Privilege Escalation to root"}, "threat_synthesis": {"affected_systems": "Vendors and products affected are Pi\u2011hole, the network\u2011level ad\u2011blocking application written for Linux. Only the 6.4 release series is vulnerable; the issue is fixed in 6.4.1. Any installation of Pi\u2011hole 6.4 that has not been upgraded is at risk. Devices running this version on routers, Raspberry Pi, or other embedded Linux platforms could be compromised.", "description_and_impact": "Pi\u2011hole version\u202f6.4 contains a local privilege\u2011escalation vulnerability that allows an attacker who has already gained code execution as the low\u2011privileged \"pihole\" user to replace or modify the file /etc/pihole/versions. This file is read and sourced by scripts that run as root, so the attacker can execute arbitrary code with root privileges. The weakness is a classic privilege\u2011escalation scenario, identified as CWE\u2011269. The impact is elevation of an attacker from a non\u2011root user to full root access on the system, enabling total control over the device and its network traffic.", "risk_and_exploitability": "The CVSS score of 6.4 indicates a moderate to high severity, while the EPSS score is not available and the vulnerability is not listed in CISA\u2019s KEV catalog. Because the vulnerability requires a prior local compromise to place malicious content into /etc/pihole/versions, it is not exploitable from the network alone. However, once an attacker has local code execution as the \"pihole\" user, escalation to root is almost immediate and straightforward, making the risk significant in a post-compromise scenario."}}}}, "created": "2026-04-06T20:14:16.258777+00:00", "updated": "2026-04-06T21:32:29.686039+00:00", "vendors": ["pi-hole", "pi-hole$PRODUCT$pi-hole"]}