AdGuard Home HTTP/2 Cleartext Upgrade Authentication Bypass Vulnerability

A critical authentication bypass vulnerability has been identified in AdGuard Home versions prior to 0.107.73. An unauthenticated remote attacker can exploit this issue by sending an HTTP/1.1 request that requests an upgrade to HTTP/2 cleartext (h2c). Once the upgrade is accepted, the resulting HTTP/2 connection is managed by an inner multiplexing layer that lacks authentication middleware. This flaw allows all subsequent HTTP/2 requests on that connection to be processed as fully authenticated, regardless of whether any credentials were provided. The vulnerability arises because the HTTP server's authentication middleware only wraps the outer layer, leaving the inner h2c handler unprotected.

Impact

Exploitation of this vulnerability grants full administrative access to the AdGuard Home API without the need for authentication. This includes the ability to read and modify DNS configurations, add filter lists, disable protection, change the admin password, and hijack DNS queries for all network clients.

Reproduction

To reproduce this vulnerability, establish a TCP connection to an AdGuard Home server running version 0.107.72 on the default port 3000. Send an HTTP/1.1 request to the public path '/control/login' with headers that request an upgrade to HTTP/2 cleartext. Once the server responds with '101 Switching Protocols', complete the HTTP/2 handshake and send HTTP/2 requests to administrative endpoints, such as '/control/status' or '/control/dhcp/status'. The server will respond with the requested information, demonstrating that authentication has been bypassed.

Remediation

Users can upgrade to AdGuard Home version 0.107.73 or later, where this vulnerability has been fixed. Alternatively, the authentication middleware can be moved inside the h2c handler to ensure it applies to all connections, or if h2c support is not needed, the h2c handler can be removed entirely.