Recent updates to Pi-hole, a DNS-based ad-blocker, have addressed several significant security vulnerabilities. These vulnerabilities could potentially allow unauthorized privileges or admin session takeovers.
Security Vulnerabilities Resolved
In a comprehensive blog post, the developers summarized the changes and provided an overview of the security weaknesses that have been patched. Out of the six identified vulnerabilities, four are classified as high risk, while one is medium and one low. For instance, users with ‘pihole’ privileges could gain root access by manipulating the “logrotate” file (CVE-2026-50130; CVSS score of 8.8, categorized as high)
Session Timeout Weakness
Another significant vulnerability involved a practically ineffective session timeout mechanism. This flaw allowed any previously valid session ID with admin access to remain valid indefinitely (no CVE entry; CVSS score of 8.8, risk rated as high). Such weaknesses put systems at great risk and highlight the need for timely updates.
Denial-of-Service Attacks
Additionally, the lack of rate limiting allowed for Denial-of-Service (DoS) attacks (CVE-2025-62165; CVSS score of 7.5, classified as high). Attackers could exploit this vulnerability to overwhelm the system, rendering it unresponsive.
New Capabilities for Admins
Logged-in admins faced further risks; attackers could execute arbitrary commands on the Pi-hole server by exploiting vulnerabilities in the Teleporter tool, which is used to migrate Pi-hole configurations to other systems (no CVE entry; CVSS score of 7.2, classified as high).
Command Injection
Additional vulnerabilities permitted command injections that could be executed under ‘pihole’ user privileges (no CVE entry; CVSS score of 6.6, risk rated as medium). Moreover, assailants could inject HTTP response headers (no CVE entry; CVSS score of 3.5, rated as low).
Update to Secure Versions
To address these serious security issues, version updates to Pi-hole-FTL v6.7, Pi-hole-Web v6.6, and Pi-hole-Core v6.4.3 have been released. Admins can quickly update their systems by entering sudo pihole -up in a terminal. This command updates all components effortlessly.
Interested users can find detailed changes and enhancements in the blog post linked above. Previously, vulnerabilities in the used dnsmasq were also patched in May, which could allow for malware injection.
Keeping your Pi-hole updated is crucial for maintaining system integrity and security. Regular updates ensure you’re protected against emerging threats and can utilize new features effectively.

