Changes compared to the previous beta, v0.108.0-b.87. See CHANGELOG.md for all changes.
A special thanks to @djnnvx for reporting the vulnerability, our community moderators team, as well as to everyone who filed and inspected issues, added translations, and helped us test this release!
Authorization in GLiNET mode is no longer vulnerable to path traversal attacks.
NOTE: This is CVE-2026-41448. We thank @djnnvx for reporting this security issue.
The quality of a product is not defined solely by code or developers’ technical prowess. A strong community—or the lack of one—can often make or break how successful a piece of software will be. We are very lucky to have such a devoted and passionate community around AdGuard Home. This update has once again demonstrated this, as we were able to quickly address a vulnerability reported by one of our community members.
A special thanks to @djnnvx for reporting the vulnerability, our community moderators team and to everyone who filed and inspected issues, added translations, and helped us test this release!
See also the v0.107.77 GitHub milestone.
Authorization in GLiNET mode is no longer vulnerable to path traversal attacks.
NOTE: This is CVE-2026-41448. We thank @djnnvx for reporting this security issue.
reason query parameter in GET /control/querylog. See openapi/openapi.yaml for the full description.response_status in GET /control/querylog is now deprecated. Use new reason query parameter instead.Changes compared to the previous beta, v0.108.0-b.82. See CHANGELOG.md for all changes.
Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.26.1.
Authentication is now applied to requests that have been upgraded from HTTP/2 Cleartext (H2C) requests to public resources.
NOTE: We thank @mandreko for reporting this security issue.
We are releasing this hotfix to address a recently discovered critical vulnerability that could allow users to bypass authentication and gain full access to AdGuard Home without valid credentials. We strongly recommend updating your AdGuard Home clients immediately.
A special thanks to @mandreko for reporting the vulnerability, our community moderators team and to everyone who filed and inspected issues, added translations, and helped us test this release!
See also the v0.107.73 GitHub milestone.
Authentication is now applied to requests that have been upgraded from HTTP/2 Cleartext (H2C) requests to public resources.
NOTE: We thank @mandreko for reporting this security issue.
The first release of the year is always important — it sets the tone for the months ahead 📆
The way we kick things off in 2026 may not be flashy, but it’s a solid mix: the new way of handling TLS certificate updates, a couple of other, minor new features, some configuration changes, a couple of key fixes, and the usual security update.
Stay tuned for more goodies to come!
A special thanks to our community moderators team and to everyone who filed and inspected issues, added translations, and helped us test this release!
See also the v0.107.72 GitHub milestone.
AdGuard Home now tracks the TLS certificate and key files for updates and reloads them after any updates are detected (#3962).
New query parameter recent in GET /control/stats/ defines statistics lookback period in millieseconds. See openapi/openapi.yaml for details.
New field "ignored_enabled" in GetStatsConfigResponse or GetQueryLogConfigResponse. See openapi/openapi.yaml for details.
In this release, the schema version has changed from 32 to 33.
Added a new boolean field ignored_enabled in querylog and statistics config.
# BEFORE: 'querylog': # … 'ignored': - '|.^' 'statistics': # … 'ignored': - '|.^' # AFTER: 'querylog': # … 'ignored': - '|.^' 'ignored_enabled': true 'statistics': # … 'ignored': - '|.^' 'ignored_enabled': true ``` To roll back this change, set the `schema_version` back to `32`. Executable permissions in some Docker installations (#8237).
Unknown blocked services from both global and client configuration now logged instead of causing server crash.
Changes compared to the previous beta, v0.108.0-b.82. See CHANGELOG.md for all changes.
Go version has been updated to prevent the possibility of exploiting the Go vulnerabilities fixed in 1.26.1.
Authentication is now applied to requests that have been upgraded from HTTP/2 Cleartext (H2C) requests to public resources.
NOTE: We thank @mandreko for reporting this security issue.