Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Wed, 15 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Pi-hole
Pi-hole pi-hole |
|
| Vendors & Products |
Pi-hole
Pi-hole pi-hole |
Wed, 15 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Pi-hole is a DNS sinkhole that protects devices from unwanted content without installing any client-side software. From 6.0 to 6.4.2, a user with code execution as the unprivileged pihole user can escalate to root by replacing /etc/pihole/logrotate. The replacement is laundered to root:root ownership by pihole-FTL-prestart.sh and then parsed as root by the daily pihole flush cron, executing firstaction shell as uid 0. This issue is fixed in version 6.4.3. | |
| Title | Pi-hole: Local privilege escalation from `pihole` user to root via `/etc/pihole/logrotate` | |
| Weaknesses | CWE-282 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T12:44:08.515Z
Reserved: 2026-06-03T18:49:32.275Z
Link: CVE-2026-50130
Updated: 2026-07-15T12:43:41.506Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T14:45:03Z