Pi-hole Privilege Escalation via Systemd Scripts (CVE-2026-41489)

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-15cwe-269cwe-732
Pi-hole Privilege Escalation via Systemd Scripts (CVE-2026-41489)

A critical local privilege escalation vulnerability, CVE-2026-41489, has been identified in Pi-hole versions 6.0 up to, but not including, Core 6.4.2 and FTL 6.6.1. The National Vulnerability Database reports that two systemd-executed shell scripts, pihole-FTL-prestart.sh and pihole-FTL-poststop.sh, read the files.pid path from configuration without validation. These scripts, running as root, then use this unvalidated path in privileged file operations, specifically install and rm -f.

An attacker with pihole user privileges can exploit this by injecting an arbitrary path into files.pid. This allows root to delete and then recreate any file on the system, circumventing ProtectSystem=full-restricted directories, and effectively gaining write access. On a default Pi-hole installation, this directly leads to root-level privilege escalation through SSH authorized_keys manipulation.

If the /root/.ssh/authorized_keys file is absent (common on fresh installs), only the ExecStartPre hook is needed for exploitation. If the file exists, ExecStopPost first deletes it, and a subsequent restart triggers both hooks sequentially, achieving the same outcome. The National Vulnerability Database confirms this flaw is patched in Pi-hole Core 6.4.2 and FTL 6.6.1.

What This Means For You

  • If your organization uses Pi-hole, you have a critical privilege escalation vector. An attacker who gains even low-level access to your Pi-hole instance can quickly escalate to root. This means full control over your DNS, potential for traffic redirection, and a launchpad for further network compromise. Patch Pi-hole Core to 6.4.2 and FTL to 6.6.1 immediately.

Related ATT&CK Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation T1547.001 Registry Run Keys / Startup Folder Persistence T1059.004 Unix Shell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1068 Privilege Escalation

Pi-hole Privilege Escalation via Systemd Script PID Manipulation - CVE-2026-41489

Sigma YAML — free preview 
title: Pi-hole Privilege Escalation via Systemd Script PID Manipulation - CVE-2026-41489
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
  Detects the execution of Pi-hole's systemd prestart and poststop scripts with commands that indicate the manipulation of the 'files.pid' configuration to perform privileged file operations. This is the core mechanism of the CVE-2026-41489 privilege escalation vulnerability, allowing an attacker to overwrite arbitrary files as root.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41489/
tags:
  - attack.privilege_escalation
  - attack.t1068
logsource:
    category: process_creation
detection:
  selection:
      Image|endswith:
          - '/usr/bin/sh'
      CommandLine|contains:
          - 'pihole-FTL-prestart.sh'
          - 'pihole-FTL-poststop.sh'
      CommandLine|contains:
          - 'install -o root -g root'
          - 'rm -f'
      CommandLine|contains:
          - '/etc/pihole/files.pid'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41489 Privilege Escalation Pi-hole Core versions 6.0 to before 6.4.2
CVE-2026-41489 Privilege Escalation Pi-hole FTL versions 6.0 to before 6.6.1
CVE-2026-41489 Privilege Escalation Vulnerable scripts: pihole-FTL-prestart.sh, pihole-FTL-poststop.sh
CVE-2026-41489 Privilege Escalation Arbitrary file write/delete via files.pid path manipulation
CVE-2026-41489 Privilege Escalation Attack vector: SSH authorized_keys manipulation

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 00:19 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8344 — Command Injection

CVE-2026-8344 — A weakness has been identified in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this vulnerability is the function sub_445E7C of the file /goform/formDMZ.cgi. This manipulation...

vulnerabilityCVEmedium-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-43893: ExifTool Argument Injection Threatens File Operations

CVE-2026-43893 — exiftool-vendored provides cross-platform Node.js access to ExifTool. Prior to 35.19.0, exiftool-vendored starts ExifTool in -stay_open True -@ - mode, where arguments are read...

vulnerabilityCVEhigh-severityremote-code-executioncwe-88
/SCW Vulnerability Desk /HIGH /8.2 /⚑ 3 IOCs /⚙ 3 Sigma

Outline CVE-2026-43890: Authorization Bypass Exposes Documents

CVE-2026-43890 — Outline is a service that allows for collaborative documentation. From 0.84.0 to 1.7.0, the subscriptions.create API endpoint in server/routes/api/subscriptions/subscriptions.ts exhibits a broken authorization...

vulnerabilityCVEhigh-severitycwe-639
/SCW Vulnerability Desk /HIGH /7.7 /⚑ 4 IOCs /⚙ 2 Sigma