CVE-2026-32616
Host Header Injection in Pigeon Enables Account Takeover
Publication date: 2026-03-16
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kasuganosoras | pigeon | to 1.0.201 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32616 is a Host Header Injection vulnerability in the Pigeon application, which is a message board/notepad/social system/blog. Prior to version 1.0.201, the application uses the HTTP Host header ($_SERVER['HTTP_HOST']) without validating it to construct email verification URLs during user registration and resend mail flows."}, {'type': 'paragraph', 'content': 'An attacker can manipulate the Host header in an HTTP request to craft verification links that point to an attacker-controlled domain. This allows the attacker to intercept the email verification token sent to users, potentially leading to account takeover.'}, {'type': 'paragraph', 'content': "The vulnerability is classified under CWE-74, which involves improper neutralization of special elements in output used by a downstream component, allowing injection attacks. It was fixed in version 1.0.201 by replacing the dynamic Host header usage with a fixed canonical domain from the application's configuration."}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious security impacts by allowing attackers to hijack user accounts. By manipulating the Host header, attackers can cause verification emails to contain links pointing to domains they control, enabling them to steal email verification tokens.
With these stolen tokens, attackers can take over user accounts, compromising confidentiality and user trust. The CVSS v3.1 score of 8.2 indicates a high severity, with a high impact on confidentiality and a low impact on integrity, but no impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves manipulation of the HTTP Host header to inject attacker-controlled domains into email verification URLs. To detect exploitation attempts on your network or system, you should monitor HTTP requests for unusual or unexpected Host header values, especially those differing from your legitimate domain.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or web server logs to identify suspicious Host headers. For example, using command-line tools like curl to test the application by sending requests with custom Host headers can help verify if the application is vulnerable.'}, {'type': 'list_item', 'content': 'Example curl command to test Host header manipulation: curl -H "Host: attacker.com" https://your-pigeon-app/register'}, {'type': 'list_item', 'content': "Check web server access logs for requests with unexpected Host headers: grep 'Host: ' /var/log/nginx/access.log | grep -v 'yourlegitdomain.com'"}, {'type': 'list_item', 'content': 'Use intrusion detection systems or web application firewalls to alert on Host header anomalies.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': "The primary mitigation is to upgrade the Pigeon application to version 1.0.201 or later, where the vulnerability is fixed by replacing the dynamic use of $_SERVER['HTTP_HOST'] with a fixed canonical domain from the configuration."}, {'type': 'paragraph', 'content': 'As an immediate workaround before upgrading, place the application behind a reverse proxy (such as Nginx) that enforces a fixed Host header. This prevents attacker-controlled Host headers from reaching the application and being used in email verification URLs.'}, {'type': 'list_item', 'content': 'Upgrade Pigeon to version 1.0.201 or later.'}, {'type': 'list_item', 'content': 'Configure a reverse proxy to validate and fix the Host header, for example in Nginx: proxy_set_header Host yourlegitdomain.com;'}, {'type': 'list_item', 'content': 'Monitor logs for suspicious Host header values to detect exploitation attempts.'}] [1, 2]