CVE-2026-35491
CWE-863Published: April 7, 2026· Updated: Apr 8, 2026
Official Description
FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.
Technical Analysis
CVE-2026-35491 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
A successful exploit results in full integrity compromise (data manipulation), with a CVSS base score of 6.1.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (1)
Quick Facts
Related CVEs (CWE-863)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-35491 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts