CVE-2026-42606
Received Received - Intake
Password Reset URL Poisoning in AzuraCast

Publication date: 2026-05-09

Last updated on: 2026-05-09

Assigner: GitHub, Inc.

Description
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-09
Last Modified
2026-05-09
Generated
2026-05-10
AI Q&A
2026-05-09
EPSS Evaluated
N/A
NVD
CVE-2026-42606
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
azuracast azuracast to 0.23.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :

This vulnerability can lead to full account compromise for any user of the affected AzuraCast instance.

An attacker can reset the victim's password and bypass two-factor authentication, gaining administrative access and potentially full control over the AzuraCast instance.

The attack requires minimal user interaction, only needing the victim to click a legitimate-looking password reset email link.


Can you explain this vulnerability to me?

CVE-2026-42606 is a high-severity vulnerability in AzuraCast versions 0.23.5 and earlier that arises because the application unconditionally trusts the client-supplied X-Forwarded-Host HTTP header without validating its source.

An unauthenticated attacker can exploit this by injecting a malicious X-Forwarded-Host header during the forgot-password flow, poisoning the password reset URL sent to any user.

When the victim clicks the poisoned link, their password reset token is exfiltrated to the attacker's server. The attacker then uses this token to reset the victim's password and destroy their two-factor authentication (2FA) configuration, achieving full account takeover.

The vulnerability stems from four root causes: unconditional trust of the X-Forwarded-Host header, use of the poisoned request host for generating security-critical URLs, embedding absolute URLs in password reset emails, and unconditional destruction of 2FA secrets during password resets.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability involves the manipulation of the X-Forwarded-Host HTTP header during the password reset process in AzuraCast versions 0.23.5 and earlier. Detection can focus on monitoring HTTP requests to the AzuraCast instance for suspicious or unexpected X-Forwarded-Host header values, especially during password reset flows.

You can use network monitoring tools or web server logs to identify requests with unusual X-Forwarded-Host headers. For example, using command-line tools like curl or tcpdump to inspect headers or capture traffic might help.

  • Use curl to simulate a password reset request and observe the response headers: curl -v -H "X-Forwarded-Host: attacker.com" https://your-azuracast-instance/forgot-password
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for requests containing the X-Forwarded-Host header: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep X-Forwarded-Host
  • Review web server access logs for requests with unusual or external X-Forwarded-Host header values.

What immediate steps should I take to mitigate this vulnerability?

The primary mitigation is to upgrade AzuraCast to version 0.23.6 or later, where this vulnerability has been patched.

Additional immediate steps include:

  • Validate and restrict the X-Forwarded-Host header by implementing a trusted proxy allowlist to prevent untrusted header injection.
  • Configure the system's Base URL setting correctly to ensure password reset emails use the legitimate server URL rather than relying on client-supplied headers.
  • Avoid automatic destruction of 2FA secrets during password resets to reduce the impact of potential account takeovers.

Monitoring for suspicious password reset activity and educating users to be cautious with password reset emails can also help mitigate exploitation.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in AzuraCast allows an attacker to perform full account takeover by poisoning password reset URLs and bypassing two-factor authentication. This leads to unauthorized access to user accounts and potentially sensitive data.

Such unauthorized access and exfiltration of reset tokens could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on user data confidentiality and integrity.

Specifically, the compromise of user accounts and destruction of 2FA configurations undermines security controls mandated by these standards, potentially leading to non-compliance due to inadequate protection of personal and sensitive information.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart