CVE-2026-33727 MEDIUM

CVE-2026-33727: Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).

Vendor Pi-Hole

Product pi-hole

Weakness CWE-269

Published April 6, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

6.4/10

Attack vector Local

Attack complexity High

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Pi-hole is a Linux network-level advertisement and Internet tracker blocking application. Version 6.4 has a local privilege-escalation vulnerability allows code execution as root from the low-privilege pihole account. Important context: the pihole account uses nologin, so this is not a direct interactive-login issue. However, nologin does not prevent code from running as UID pihole if a Pi-hole component is compromised. In that realistic post-compromise scenario, attacker-controlled content in /etc/pihole/versions is sourced by root-run Pi-hole scripts, leading to root code execution. This vulnerability is fixed in 6.4.1.

Key dates

02Disclosure timeline

April 6, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-33727 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/269.html

Related vulnerabilities

CVE-2026-33727: Pi-hole has a Local Privilege Escalation (post-compromise, pihole -> root).

01Description

02Disclosure timeline

03References

04Related CVE