HomeCVE Intelligence › CVE-2026-42606
CVSS 8.1 HIGH Vulnerability

CVE-2026-42606: AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads t…

Summary The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any u…

8.1CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-42606
Vendorcomposer
Affected Productazuracast/azuracast
Vulnerability TypeVulnerability
CVSS Score8.1 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Summary The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover.

Details

Root Cause 1: Unconditional X-Forwarded-Host Trust backend/src/Middleware/ApplyXForwarded.php:35-40:

```php if ($request->hasHeader('X-Forwarded-Host')) { $hasXForwardedHeader = true; $xfHost = Types::stringOrNull($request->getHea

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-42606 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence