{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": "cpe:2.3:a:pi-hole:ftldns:*:*:*:*:*:*:*:*",
            "extracted_events": [
              {
                "introduced": "6.0"
              },
              {
                "fixed": "6.6"
              }
            ],
            "source": [
              "AFFECTED_FIELD",
              "CPE_RANGE"
            ]
          },
          "events": [
            {
              "introduced": "eaa7dbb4cf4316413558c9d4b4e3f2a44f8e8203"
            },
            {
              "fixed": "71b6fc62571075740a3c721d5e961db9c3609376"
            }
          ],
          "repo": "https://github.com/pi-hole/ftl",
          "type": "GIT"
        }
      ]
    }
  ],
  "aliases": [
    "GHSA-r7g8-3fj7-m5qq"
  ],
  "database_specific": {
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
      "CWE-863"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35491.json"
  },
  "details": "FTLDNS (pihole-FTL) provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, Pi-hole FTL supports a CLI password feature (webserver.api.cli_pw) that creates “CLI” API sessions intended to be read-only for configuration changes. While /api/config correctly blocks CLI sessions from mutating configuration, /api/teleporter allowed Teleporter imports for CLI sessions, enabling a CLI-scoped session to overwrite configuration via a Teleporter archive (authorization bypass). This vulnerability is fixed in 6.6.",
  "id": "CVE-2026-35491",
  "modified": "2026-07-15T01:49:03.696517061Z",
  "published": "2026-04-07T15:00:11.079Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35491.json"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/pi-hole/FTL/security/advisories/GHSA-r7g8-3fj7-m5qq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35491"
    }
  ],
  "schema_version": "1.8.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Pi-hole FTL: CLI API sessions can import Teleporter archives and modify configuration"
}