CVE-2026-42606— AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass

AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass

AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

忘记口令恢复机制弱

AzuraCast 授权问题漏洞

AzuraCast是AzuraCast公司的一个简单的自托管网络广播管理套件。 AzuraCast 0.23.6之前版本存在授权问题漏洞，该漏洞源于ApplyXForwarded中间件无条件信任客户端提供的X-Forwarded-Host HTTP标头且无受信任代理白名单，可能导致未经身份验证的攻击者通过注入该标头触发忘记密码流程时投毒密码重置URL，当受害者点击投毒链接时重置令牌被泄露至攻击者服务器，攻击者利用令牌重置密码并破坏双因素认证配置实现账户接管。

N/A

N/A