CVE-2026-42606 Overview
CVE-2026-42606 is a host header injection vulnerability in AzuraCast, a self-hosted web radio management suite. The flaw exists in the ApplyXForwarded middleware, which unconditionally trusts the client-supplied X-Forwarded-Host HTTP header without enforcing a trusted proxy allowlist. An unauthenticated attacker can poison password reset URLs by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is sent to an attacker-controlled server. The attacker then uses the token on the legitimate instance to reset the victim's password and remove their two-factor authentication configuration. The issue is tracked under [CWE-640] and has been patched in version 0.23.6.
Critical Impact
Unauthenticated attackers can achieve full account takeover of any AzuraCast user, including administrators, by exfiltrating password reset tokens through a poisoned host header.
Affected Products
- AzuraCast versions prior to 0.23.6
- Self-hosted AzuraCast web radio management deployments
- Instances using the ApplyXForwarded middleware without a trusted proxy allowlist
Discovery Timeline
- 2026-05-09 - CVE-2026-42606 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-42606
Vulnerability Analysis
The vulnerability resides in AzuraCast's ApplyXForwarded middleware. This middleware reads the X-Forwarded-Host header from incoming HTTP requests and uses it to construct the base URL for outbound links. The middleware applies no validation and does not restrict trust to requests originating from configured reverse proxies.
When a user triggers the forgot-password flow, AzuraCast generates a password reset URL using this attacker-controlled host value. The email sent to the victim contains a link pointing to the attacker's domain while carrying a valid reset token tied to the victim's account on the real AzuraCast instance.
If the victim clicks the link, the attacker's server logs the reset token from the URL. The attacker then submits the token to the legitimate AzuraCast instance to set a new password. The reset flow also clears the victim's two-factor authentication settings, removing a key defense against account takeover.
Root Cause
The root cause is improper trust of HTTP headers under [CWE-640] (Weak Password Recovery Mechanism for Forgotten Password). The ApplyXForwarded middleware does not enforce a trusted proxy allowlist, allowing any client to dictate the host used in generated URLs. Password reset link construction relies on this untrusted value rather than the configured server base URL.
Attack Vector
The attack requires no authentication and proceeds over the network. The attacker sends a forgot-password request to the target AzuraCast instance while supplying a malicious X-Forwarded-Host header pointing to an attacker-controlled domain. The victim receives a legitimate-looking email containing the poisoned link. User interaction is required: the victim must click the link to leak the token.
use App\Entity\User;
use App\Exception\Http\RateLimitExceededException;
use App\Http\Response;
+use App\Http\Router;
use App\Http\ServerRequest;
use App\RateLimit;
use App\Service\Mail;
Source: AzuraCast commit 7c622a1. The patch in backend/src/Controller/Frontend/Account/ForgotPasswordAction.php injects the Router service so the controller always builds reset URLs from the server's configured base URL rather than from request-derived host values.
Detection Methods for CVE-2026-42606
Indicators of Compromise
- Inbound HTTP requests to forgot-password endpoints containing an X-Forwarded-Host header pointing to an external or unexpected domain.
- Outbound password reset emails referencing hostnames that do not match the configured AzuraCast server base URL.
- Unexpected password change events followed by removal of 2FA configuration for the same user account.
- Web server access logs showing successful POST requests to the forgot-password route from unfamiliar IP addresses.
Detection Strategies
- Inspect reverse proxy and web server logs for X-Forwarded-Host values that differ from approved hostnames.
- Correlate password reset events with subsequent 2FA disable events for the same account within a short time window.
- Alert on multiple forgot-password requests for high-value accounts originating from the same source IP.
Monitoring Recommendations
- Forward AzuraCast application and web server logs to a centralized log platform for retention and correlation.
- Monitor authentication audit trails for password resets immediately followed by 2FA configuration changes.
- Track the volume of forgot-password requests to detect enumeration or targeted abuse against administrator accounts.
How to Mitigate CVE-2026-42606
Immediate Actions Required
- Upgrade AzuraCast to version 0.23.6 or later, where reset emails are built from the server base URL.
- Audit recent password reset and 2FA configuration changes for any signs of unauthorized account takeover.
- Force password resets and reconfigure 2FA for accounts that show suspicious reset activity prior to patching.
- Restrict access to the AzuraCast administrative interface using network controls until the upgrade is complete.
Patch Information
The fix is included in AzuraCast release 0.23.6. The remediation is documented in GitHub Security Advisory GHSA-gv7r-3mr9-h5x8 and implemented in commit 7c622a1, which routes password reset URL generation through the application's Router service tied to the configured server base URL.
Workarounds
- Configure the upstream reverse proxy to strip or overwrite the X-Forwarded-Host header on all inbound requests.
- Restrict the AzuraCast service to accept connections only from known reverse proxy IP addresses.
- Disable the forgot-password flow temporarily and handle password resets through an administrative process until the patch is applied.
# Example nginx configuration to strip attacker-supplied X-Forwarded-Host
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header Host $host;
proxy_pass http://azuracast_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
