AzuraCast CVE-2026-42606: Unauthenticated Account Takeover Via X-Forwarded-Host Poisoning
The National Vulnerability Database has detailed CVE-2026-42606, a critical vulnerability in AzuraCast, a self-hosted web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header. This oversight allows an unauthenticated attacker to inject a malicious host into password reset URLs.
Attackers can exploit this by triggering a password reset for any user and manipulating the X-Forwarded-Host header. When the victim clicks the poisoned reset link, their reset token is exfiltrated to the attacker’s server. With this token, the attacker can then reset the victim’s password on the legitimate AzuraCast instance and disable any configured 2FA, leading to a complete account takeover. This issue carries a CVSS score of 8.1 (High) and is categorized under CWE-640, indicating a ‘Weak Authentication’ vulnerability. The National Vulnerability Database confirms the issue is patched in version 0.23.6.
This vulnerability highlights a common and often overlooked trust boundary issue. Uncritically trusting client-supplied headers like X-Forwarded-Host without proper validation or an allowlist of trusted proxies is a fundamental security flaw. It’s a prime example of how seemingly minor configuration or code decisions can open the door to devastating account compromise, even against users employing strong passwords and 2FA.
What This Means For You
- If your organization uses AzuraCast, you must immediately verify your installation version. Patch to 0.23.6 or later without delay. Review your logs for any suspicious password reset attempts or unusual `X-Forwarded-Host` header usage, especially around the time of discovery. Ensure all users are aware of phishing risks, as this attack relies on them clicking a poisoned link.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42606: AzuraCast Unauthenticated Account Takeover via X-Forwarded-Host Poisoning
title: CVE-2026-42606: AzuraCast Unauthenticated Account Takeover via X-Forwarded-Host Poisoning
id: scw-2026-05-09-ai-1
status: experimental
level: critical
description: |
Detects the initial exploitation attempt of CVE-2026-42606. An attacker sends a POST request to the AzuraCast password reset endpoint ('/auth/forgot_password') while injecting a malicious domain into the 'X-Forwarded-Host' HTTP header. This header is then used to construct the password reset link sent to the victim. When the victim clicks the link, their reset token is sent to the attacker's controlled host, enabling account takeover. This rule specifically looks for the vulnerable path and the presence of a suspicious 'X-Forwarded-Host' header.
author: SCW Feed Engine (AI-generated)
date: 2026-05-09
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42606/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/auth/forgot_password'
cs-method:
- 'POST'
# The X-Forwarded-Host header is typically added by proxies, but here it's being abused
# to inject a malicious host into the password reset URL. We look for a suspicious
# X-Forwarded-Host that doesn't match the expected host or contains common exfiltration indicators.
# This requires the webserver logs to capture custom headers like X-Forwarded-Host.
# NOTE: The exact field name for custom headers can vary between webserver logs (e.g., 'x_forwarded_host').
# This example assumes a field named 'x_forwarded_host' is available.
x_forwarded_host|contains:
- 'attacker-controlled.com'
- 'evil.example.org'
- 'localhost.attacker.net'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42606 | Auth Bypass | AzuraCast versions prior to 0.23.6 |
| CVE-2026-42606 | Information Disclosure | AzuraCast ApplyXForwarded middleware trusts X-Forwarded-Host header |
| CVE-2026-42606 | Account Takeover | Password reset URL poisoning via X-Forwarded-Host header in AzuraCast |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 09, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8210 — Aandrew-Me Tgpt Command Injection
CVE-2026-8210 — A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of...
CVE-2026-8195 — JeecgBoot Vulnerability
CVE-2026-8195 — A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/CommonController.java of the component...
CVE-2026-8194 — OsTicket Vulnerability
CVE-2026-8194 — A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component...