CVE-2026-28681 Overview
CVE-2026-28681 is an open redirect vulnerability (CWE-601) in the Internet Routing Registry daemon version 4 (IRRd), an IRR database server that processes IRR objects in the RPSL format. This vulnerability allows attackers to manipulate the HTTP Host header during password reset or account creation requests, causing confirmation emails to contain links pointing to attacker-controlled domains. When users click these malicious links, authentication tokens are exposed to attackers, enabling complete account takeover.
Critical Impact
Successful exploitation allows attackers to take over user accounts and modify RPSL routing objects maintained by compromised accounts, potentially affecting internet routing infrastructure.
Affected Products
- IRRd versions 4.4.0 to 4.4.4
- IRRd versions 4.5.0 to 4.5.0
- Internet Routing Registry daemon version 4 (RPSL-processing IRR database server)
Discovery Timeline
- March 6, 2026 - CVE-2026-28681 published to NVD
- March 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-28681
Vulnerability Analysis
This vulnerability exploits insufficient validation of the HTTP Host header in IRRd's authentication workflow. When a user initiates a password reset or account creation, the application generates a confirmation email containing a URL constructed using the Host header from the incoming HTTP request. An attacker can intercept or craft requests with a manipulated Host header pointing to their malicious domain.
The resulting confirmation email will contain a link to the attacker's server instead of the legitimate IRRd instance. When the victim clicks the link in their email, their authentication token is transmitted to the attacker's server. The attacker can then use this captured token on the real IRRd instance to complete the password reset or account verification, gaining full control of the victim's account.
Once an account is compromised, attackers can modify RPSL (Routing Policy Specification Language) objects maintained by that account's mntners (maintainer objects). This could have significant implications for internet routing infrastructure, as RPSL objects define routing policies used by network operators.
Root Cause
The root cause of this vulnerability is improper validation of the HTTP Host header during email generation for authentication workflows. The application trusts user-supplied input from the Host header when constructing confirmation URLs, violating the principle of never trusting client-provided data for security-critical operations. This is classified as CWE-601 (URL Redirection to Untrusted Site), commonly known as Open Redirect.
Attack Vector
The attack leverages network-accessible endpoints and requires user interaction (clicking the malicious link in the email). The exploitation flow involves the following steps:
- The attacker identifies a target user account on an IRRd instance
- The attacker sends a password reset request while manipulating the HTTP Host header to point to their controlled domain (e.g., Host: attacker.com)
- The IRRd server generates an email containing a confirmation link with the attacker's domain
- The victim receives the legitimate-looking email and clicks the confirmation link
- The victim's browser sends the reset token to the attacker's server
- The attacker captures the token and uses it on the real IRRd instance to reset the password
- The attacker gains access to the compromised account
It is worth noting that two-factor authentication provides a mitigation layer—users with 2FA configured (required for those with override access) cannot have their accounts fully compromised even if an attacker successfully resets their password.
Detection Methods for CVE-2026-28681
Indicators of Compromise
- Unusual HTTP Host header values in IRRd access logs that don't match legitimate server hostnames
- Password reset requests originating from unexpected IP addresses or geographic locations
- Multiple password reset requests for the same account in rapid succession
- Unauthorized modifications to RPSL objects after suspicious authentication activity
Detection Strategies
- Monitor web server and application logs for Host header anomalies where the header doesn't match configured server names
- Implement alerting on password reset requests with mismatched Host headers compared to the application's configured base URL
- Review audit logs for account access following password reset operations, especially from different IP addresses than the reset request
- Deploy web application firewalls (WAF) with rules to detect Host header injection attempts
Monitoring Recommendations
- Enable detailed HTTP request logging including all headers for authentication-related endpoints
- Implement real-time monitoring of RPSL object modifications with alerts for unexpected changes
- Configure alerts for password reset completion events, particularly when initiated from unfamiliar sources
- Correlate authentication events with subsequent account activity to detect potential account takeovers
How to Mitigate CVE-2026-28681
Immediate Actions Required
- Upgrade IRRd to version 4.4.5 or 4.5.1 immediately
- Audit recent password reset and account creation activities for signs of exploitation
- Review RPSL objects for unauthorized modifications
- Enforce two-factor authentication for all privileged accounts with mntner access
Patch Information
The IRRd maintainers have released patched versions that address this vulnerability. Organizations should upgrade to the following versions:
- For 4.4.x series: Upgrade to version 4.4.5 - See IRRd Documentation Release 4.4.5
- For 4.5.x series: Upgrade to version 4.5.1 - See IRRd Documentation Release 4.5.1
The security patches are available via GitHub commits:
For complete details, refer to the GitHub Security Advisory GHSA-22m3-c7vp-49fj.
Workarounds
- Configure a reverse proxy (such as nginx or Apache) to validate and enforce the Host header before requests reach IRRd
- Require two-factor authentication for all user accounts, which prevents full account takeover even if password reset is exploited
- Implement network-level controls to restrict access to password reset functionality
- Configure email security warnings for users to verify URL domains before clicking password reset links
# Example nginx configuration to enforce Host header
server {
listen 443 ssl;
server_name irrd.example.com;
# Reject requests with unexpected Host headers
if ($host !~ ^(irrd\.example\.com)$) {
return 444;
}
location / {
proxy_pass http://localhost:8080;
proxy_set_header Host irrd.example.com;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
