CVE-2026-1089: GoAnywhere MFT Information Disclosure Flaw

CVE-2026-1089 Overview

CVE-2026-1089 affects Fortra's GoAnywhere Managed File Transfer (MFT) prior to version 7.10.0. The vulnerability stems from improper neutralization of a user-controlled HTTP header [CWE-74]. Attackers can manipulate this header to trigger outbound DNS lookups from the GoAnywhere MFT server. The flaw enables DNS rebinding attacks and information disclosure against internal network resources.

The issue is reachable over the network without authentication or user interaction. Fortra published advisory FI-2026-005 and resolved the issue in GoAnywhere MFT 7.10.0.

Critical Impact

Unauthenticated attackers can coerce GoAnywhere MFT into performing attacker-controlled DNS resolutions, enabling reconnaissance of internal infrastructure and DNS rebinding against backend services.

Affected Products

• Fortra GoAnywhere Managed File Transfer versions prior to 7.10.0
• Self-hosted GoAnywhere MFT deployments exposing the web interface to untrusted networks
• Cloud-hosted GoAnywhere MFT instances running affected versions

Discovery Timeline

• 2026-04-21 - CVE-2026-1089 published to NVD
• 2026-04-23 - Last updated in NVD database

Technical Details for CVE-2026-1089

Vulnerability Analysis

The vulnerability resides in how GoAnywhere MFT processes a user-controlled HTTP header. The application accepts header values without adequate validation and uses them in operations that produce a DNS lookup. An unauthenticated remote attacker can supply a crafted header pointing to an arbitrary hostname.

When the server resolves the attacker-supplied hostname, it leaks information about the deployment environment. The same primitive supports DNS rebinding, where an attacker rapidly changes DNS responses to bypass same-origin or network-segmentation assumptions. This can allow interaction with internal-only services that trust requests originating from the MFT host.

The attack vector is network-based with low complexity and no privileges required. Confidentiality and availability impacts are both rated low, while integrity is unaffected.

Root Cause

The root cause is improper neutralization of special elements in a downstream component [CWE-74]. GoAnywhere MFT passes attacker-controlled header data into a code path that performs hostname resolution. The application does not restrict the destination, validate the value against an allowlist, or sanitize control characters.

Attack Vector

The attacker sends an HTTP request to a reachable GoAnywhere MFT endpoint with a crafted header value. The header value contains a hostname controlled by the attacker, typically a domain hosted on an out-of-band collaboration service. The server performs a DNS query against that hostname, confirming reachability and revealing outbound DNS infrastructure.

For DNS rebinding, the attacker configures the authoritative DNS server to alternate responses between a public IP and an internal IP such as 127.0.0.1 or 169.254.169.254. Subsequent server-side requests may be redirected to internal services, exposing metadata endpoints or unauthenticated administrative interfaces.

No verified public proof-of-concept code is available. Refer to the Fortra Security Advisory FI-2026-005 for vendor-supplied technical details.

Detection Methods for CVE-2026-1089

Indicators of Compromise

• Outbound DNS queries from GoAnywhere MFT hosts to unfamiliar or recently registered domains
• HTTP requests to GoAnywhere MFT endpoints containing unexpected or malformed header values
• DNS resolution patterns where the same hostname rapidly alternates between public and private IP addresses
• Connections from the MFT host to internal management interfaces or cloud metadata services such as 169.254.169.254

Detection Strategies

• Inspect web access logs for inbound requests with anomalous or attacker-controlled HTTP header values targeting GoAnywhere MFT URLs
• Correlate inbound HTTP requests with outbound DNS activity from the MFT server within a short time window
• Alert on DNS responses returning RFC1918 or link-local addresses for externally registered domains, a hallmark of DNS rebinding
• Baseline normal outbound DNS destinations for the MFT host and flag deviations

Monitoring Recommendations

• Forward GoAnywhere MFT access logs and DNS resolver logs to a centralized analytics platform for correlation
• Monitor egress traffic from MFT hosts and restrict outbound DNS to approved resolvers
• Track the running version of GoAnywhere MFT across the estate and flag any instance below 7.10.0

How to Mitigate CVE-2026-1089

Immediate Actions Required

• Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later as directed in advisory FI-2026-005
• Restrict network exposure of the GoAnywhere MFT administrative and web interfaces to trusted networks only
• Review outbound DNS logs from MFT hosts for the past 90 days to identify suspicious resolution activity
• Validate that the MFT host cannot reach internal management interfaces or cloud metadata services unnecessarily

Patch Information

Fortra resolved the vulnerability in GoAnywhere MFT 7.10.0. Administrators should consult the Fortra Security Advisory FI-2026-005 for upgrade procedures and verification steps. Apply the patch in non-production first and validate file transfer workflows before promoting to production.

Workarounds

• Place GoAnywhere MFT behind a reverse proxy or web application firewall that strips or normalizes the affected HTTP header
• Apply egress filtering to block the MFT host from resolving or connecting to internal address ranges and cloud metadata endpoints
• Limit DNS resolution for the MFT host to a controlled internal resolver that logs all queries and blocks newly registered domains

# Example egress restriction using iptables to block MFT host from internal metadata
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p udp --dport 53 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -p udp --dport 53 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -p udp --dport 53 -j DROP