NIXPKGS-2026-0994

GitHub issue published 2 months, 2 weeks ago

Permalink CVE-2026-35491

6.1 MEDIUM

CVSS version (CVSS): 3.1
Attack Vector (AV): Local (L)
Attack Complexity (AC): Low (L)
Privileges Required (PR): Low (L)
User Interaction (UI): None (N)
Scope (S): Unchanged (U)
Confidentiality (C): None (N)
Integrity (I): High (H)
Availability (A): Low (L)
Modified Attack Vector (MAV): Local (L)
Modified Attack Complexity (MAC): Low (L)
Modified Privileges Required (MPR): Low (L)
Modified User Interaction (MUI): None (N)
Modified Confidentiality (MC): None (N)
Modified Scope (MS): Unchanged (U)
Modified Integrity (MI): High (H)
Modified Availability (MA): Low (L)

updated 2 months, 2 weeks ago by @LeSuisse Activity log

Created suggestion 2 months, 2 weeks ago
@LeSuisse ignored
5 packages
- swiftlint
- python312Packages.softlayer
- python313Packages.softlayer
- python314Packages.softlayer
- chickenPackages_5.chickenEggs.ftl
2 months, 2 weeks ago
@LeSuisse accepted 2 months, 2 weeks ago
@LeSuisse published on GitHub 2 months, 2 weeks ago

Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration

FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.