CVE-2026-50130 in Pi-holeinfo

Summary

by MITRE • 07/15/2026

Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to 6.4.2, a user with code execution as the unprivileged pihole user can escalate to root by replacing /etc/pihole/logrotate. The replacement is laundered to root:root ownership by pihole-FTL-prestart.sh and then parsed as root by the daily pihole flush cron, executing firstaction shell as uid 0. This issue is fixed in version 6.4.3.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

The vulnerability under discussion represents a sophisticated privilege escalation flaw within the Pi-hole DNS sinkhole system affecting versions 6.0 through 6.4.2. This issue stems from a critical design flaw in how file ownership and execution permissions are handled during the system's startup and maintenance processes, creating a pathway for unprivileged users to gain root access. The vulnerability manifests through a carefully orchestrated sequence that exploits trust relationships within the system's boot and maintenance routines.

The technical exploitation begins with a user possessing code execution capabilities as the unprivileged pihole user, which appears to be a legitimate operational requirement for normal system functioning. However, this privilege level becomes exploitable due to insufficient validation of file ownership and access controls during system initialization. The attacker can replace the /etc/pihole/logrotate configuration file with a maliciously crafted version that leverages the system's trust in the pihole-FTL-prestart.sh script to launder the file ownership to root:root. This laundering process involves the script intentionally changing file permissions and ownership, which creates a false sense of security around the modified file.

The operational impact becomes critical when the maliciously modified logrotate configuration gets processed by the daily pihole flush cron job that executes with root privileges. The cron job's execution context allows it to parse and execute the firstaction shell command as uid 0, effectively elevating the attacker's privileges from unprivileged pihole user to full root access. This represents a classic privilege escalation vector where a low-privilege user can manipulate system files that are processed with elevated permissions, directly violating the principle of least privilege.

This vulnerability aligns with CWE-276, which addresses improper file permissions and inadequate access control mechanisms. The flaw demonstrates how insufficient validation of file ownership and execution contexts during system startup can create persistent backdoors for privilege escalation attacks. From an attack perspective, this vulnerability maps to multiple ATT&CK techniques including privilege escalation through scheduled task manipulation and persistence mechanisms, with the initial access point being user execution leading to privilege escalation via exploitation of system configuration files.

The remediation implemented in version 6.4.3 addresses this issue by strengthening access control validation during the system initialization process and ensuring that file ownership checks occur before any potentially dangerous operations are executed. The fix likely involves implementing more rigorous verification of file integrity and ownership before allowing system processes to execute with elevated privileges, preventing the laundering of malicious file ownership from taking effect. This represents a fundamental improvement in the security architecture of Pi-hole's startup sequence, aligning with industry best practices for secure system initialization and privilege management.

The broader implications of this vulnerability extend beyond just the Pi-hole system, as it demonstrates how seemingly benign system maintenance operations can become attack vectors when proper access controls are not enforced. The flaw highlights the importance of validating file ownership and permissions during critical system startup phases, particularly in environments where multiple users may have access to system configuration directories. This issue underscores why security-conscious organizations must implement comprehensive privilege separation mechanisms and why regular security audits of system initialization processes are essential for maintaining robust defenses against privilege escalation attacks.

Organizations deploying Pi-hole solutions should immediately update to version 6.4.3 or later to address this vulnerability, as the attack vector provides a straightforward path for attackers to gain complete system control. The vulnerability's exploitation requires minimal sophistication and can be automated, making it particularly dangerous in production environments where system integrity is paramount. Security teams should also conduct thorough audits of their Pi-hole deployments to ensure no unauthorized modifications have occurred and that proper file access controls remain in place across all system configuration directories.

Responsible

GitHub M

Reservation

06/03/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00225

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!