CVE-2026-54588
Received Received - Intake
Open Redirect in Poweradmin DNS Administration Tool

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-54588
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
poweradmin poweradmin to 4.2.4|end_excluding=4.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Poweradmin, a web-based DNS administration tool for PowerDNS server, in versions prior to 4.2.4 and 4.3.3. The issue arises because the software uses the attacker-controlled HTTP_HOST request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without validating it.

An unauthenticated attacker can exploit this by poisoning the redirect_uri sent to the Identity Provider (IdP). This causes the IdP to redirect the victim's authorization code to a server controlled by the attacker, which can lead to a full account takeover without requiring any credentials.

The vulnerability is patched in versions 4.2.4 and 4.3.3 of Poweradmin.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated attacker to take over user accounts without needing any credentials.

Specifically, by poisoning the redirect_uri in authentication flows, the attacker can intercept authorization codes and gain full control over affected accounts.

This can lead to unauthorized access to sensitive DNS administration functions, potentially compromising the integrity and availability of DNS services managed by Poweradmin.

Mitigation Strategies

To mitigate this vulnerability, upgrade Poweradmin to version 4.2.4 or 4.3.3, as these versions contain patches that fix the issue with the unvalidated HTTP_HOST header.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54588. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart