Impact Analysis

This vulnerability can lead to full account compromise for any user of the affected AzuraCast instance.

An attacker can reset the victim's password and bypass two-factor authentication, gaining administrative access and potentially full control over the AzuraCast instance.

The attack requires minimal user interaction, only needing the victim to click a legitimate-looking password reset email link.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-42606 is a high-severity vulnerability in AzuraCast versions 0.23.5 and earlier that arises because the application unconditionally trusts the client-supplied X-Forwarded-Host HTTP header without validating its source.

An unauthenticated attacker can exploit this by injecting a malicious X-Forwarded-Host header during the forgot-password flow, poisoning the password reset URL sent to any user.

When the victim clicks the poisoned link, their password reset token is exfiltrated to the attacker's server. The attacker then uses this token to reset the victim's password and destroy their two-factor authentication (2FA) configuration, achieving full account takeover.

The vulnerability stems from four root causes: unconditional trust of the X-Forwarded-Host header, use of the poisoned request host for generating security-critical URLs, embedding absolute URLs in password reset emails, and unconditional destruction of 2FA secrets during password resets.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the manipulation of the X-Forwarded-Host HTTP header during the password reset process in AzuraCast versions 0.23.5 and earlier. Detection can focus on monitoring HTTP requests to the AzuraCast instance for suspicious or unexpected X-Forwarded-Host header values, especially during password reset flows.

You can use network monitoring tools or web server logs to identify requests with unusual X-Forwarded-Host headers. For example, using command-line tools like curl or tcpdump to inspect headers or capture traffic might help.

• Use curl to simulate a password reset request and observe the response headers: curl -v -H "X-Forwarded-Host: attacker.com" https://your-azuracast-instance/forgot-password
• Use tcpdump or Wireshark to capture HTTP traffic and filter for requests containing the X-Forwarded-Host header: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep X-Forwarded-Host
• Review web server access logs for requests with unusual or external X-Forwarded-Host header values.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade AzuraCast to version 0.23.6 or later, where this vulnerability has been patched.

Additional immediate steps include:

• Validate and restrict the X-Forwarded-Host header by implementing a trusted proxy allowlist to prevent untrusted header injection.
• Configure the system's Base URL setting correctly to ensure password reset emails use the legitimate server URL rather than relying on client-supplied headers.
• Avoid automatic destruction of 2FA secrets during password resets to reduce the impact of potential account takeovers.

Monitoring for suspicious password reset activity and educating users to be cautious with password reset emails can also help mitigate exploitation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in AzuraCast allows an attacker to perform full account takeover by poisoning password reset URLs and bypassing two-factor authentication. This leads to unauthorized access to user accounts and potentially sensitive data.

Such unauthorized access and exfiltration of reset tokens could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls on user data confidentiality and integrity.

Specifically, the compromise of user accounts and destruction of 2FA configurations undermines security controls mandated by these standards, potentially leading to non-compliance due to inadequate protection of personal and sensitive information.

Useful 0 Not Useful 0