Compliance Impact

The vulnerability allows an attacker to poison password reset emails with malicious URLs, potentially leading to account compromise through token leakage.

Such unauthorized access risks exposing personal or sensitive data, which could impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user credentials and preventing unauthorized access.

However, the provided information does not explicitly discuss compliance implications or how this vulnerability directly affects adherence to these standards.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-35507 is a Host header injection vulnerability in the Shynet project before version 0.14.0, specifically in the password reset flow.

The root cause is that the Django setting ALLOWED_HOSTS was set to a wildcard "*", which disables Host header validation. This allowed an attacker to send password reset requests with a spoofed Host header.

As a result, password reset emails sent to users contained URLs pointing to the attacker's domain instead of the legitimate site.

If a victim clicks the malicious link or an automated email scanner previews it, the valid password reset token can be leaked to the attacker, enabling account compromise.

The vulnerability was fixed by removing the wildcard from ALLOWED_HOSTS and requiring explicit allowed hosts, which restores proper Host header validation.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to account compromise by leaking valid password reset tokens to attackers.

An attacker can craft password reset requests with a spoofed Host header so that victims receive password reset emails containing malicious URLs.

If victims or automated systems click these malicious links, the attacker gains access to valid reset tokens, allowing unauthorized password resets and account takeover.

This undermines the security of user accounts and can lead to unauthorized access to sensitive information or services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing whether the Shynet instance accepts password reset requests with spoofed Host headers and whether the password reset emails contain URLs pointing to attacker-controlled domains.

A practical detection method is to send a crafted POST request to the password reset endpoint with a manipulated Host header and observe the response and resulting email behavior.

For example, you can use the following curl command to test for the vulnerability:

• curl -X POST http://<shynet-ip>/accounts/password/reset/ -H "Host: attacker.com" -d "email=admin@..."

If the password reset email contains a URL with the spoofed domain (e.g., http://attacker.com/accounts/password/reset/key/<valid-token>/), the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability immediately, you should remove the wildcard "*" from the Django ALLOWED_HOSTS setting and replace it with a restrictive list of allowed hostnames.

Specifically, update your settings.py to set ALLOWED_HOSTS to explicit values such as "localhost" and "127.0.0.1", or your legitimate domain names.

This change ensures that Django's CommonMiddleware rejects requests with spoofed Host headers by returning HTTP 400 errors before any view logic executes.

Additional steps include:

• Upgrade to Shynet version 0.14.0 or later, which includes this fix.
• Avoid using wildcard or overly broad host settings in deployment configurations, including Kubernetes secrets and Heroku app.json.
• Review and update deployment environment variables to ensure ALLOWED_HOSTS is explicitly set.

Following these steps will prevent Host header injection attacks in the password reset flow and protect against token leakage.

Useful 0 Not Useful 0