CVE-2026-45055 Overview
CVE-2026-45055 is a host header injection vulnerability in CubeCart, an open-source ecommerce platform. Affected versions 6.6.x through 6.7.1 construct the CC_STORE_URL constant directly from the HTTP Host request header at bootstrap without an allowlist. The unvalidated value is embedded into transactional email links, including password-reset URLs generated by User::passwordRequest() and Admin::passwordRequest(). An unauthenticated attacker who knows a target email address can poison the reset link to redirect victims to an attacker-controlled host while the embedded token remains valid against the legitimate store.
Critical Impact
Successful exploitation yields full account takeover, and store takeover when the targeted email belongs to an administrator.
Affected Products
- CubeCart 6.6.x
- CubeCart 6.7.0
- CubeCart 6.7.1
Discovery Timeline
- 2026-05-13 - CVE-2026-45055 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-45055
Vulnerability Analysis
The flaw is an improper input validation issue classified as [CWE-20]. During bootstrap, CubeCart assigns the value of the inbound Host header to the CC_STORE_URL constant without verifying it against a configured store domain or allowlist. This constant is then concatenated verbatim into outbound email content, including password-reset links sent by User::passwordRequest() and the administrative equivalent in Admin::passwordRequest().
When a victim clicks the poisoned link, their browser sends the recovery token to an attacker-controlled domain. The token is generated server-side, persisted by the legitimate CubeCart store, and remains valid for 3,600 seconds. Because the token is bound to the legitimate backend rather than the host in the link, the attacker can replay it against the real store to reset the victim's password.
Root Cause
CubeCart trusts the client-supplied Host header as authoritative for self-referential URL generation. No allowlist, canonical hostname configuration, or X-Forwarded-Host sanitization is applied before the value is propagated into email templates.
Attack Vector
An unauthenticated attacker sends a crafted request such as POST /index.php?_a=recover with a forged Host: evil.com header and the victim's email in the request body. CubeCart writes a new verification token and dispatches an email containing http://evil.com/index.php?_a=recovery&validate=<TOKEN>. When the victim opens the message and clicks the link, the token is delivered to the attacker, who replays it on the real store to complete password recovery. Targeting an administrator email escalates the impact to full store compromise.
No verified exploit code is publicly available. See the GitHub Security Advisory for vendor technical details.
Detection Methods for CVE-2026-45055
Indicators of Compromise
- Outbound password-reset emails containing _a=recovery&validate= links pointing to hosts other than the canonical store domain.
- Web server access logs showing POST requests to /index.php?_a=recover with Host header values that do not match the configured store hostname.
- Successful password changes immediately following recovery requests originating from unfamiliar IP addresses.
Detection Strategies
- Inspect HTTP access logs for Host header mismatches between the request and the server's configured virtual host.
- Correlate /index.php?_a=recover requests with subsequent /index.php?_a=recovery token submissions to detect anomalous reset flows.
- Alert on administrator account password changes that lack a prior authenticated session from a known administrative IP range.
Monitoring Recommendations
- Enable verbose logging of email dispatch events so generated reset URLs can be audited against the canonical domain.
- Forward web server and application logs to a centralized analytics platform for retroactive hunting on Host header anomalies.
- Monitor for rapid sequences of recovery requests targeting multiple distinct email addresses, which indicate automated abuse.
How to Mitigate CVE-2026-45055
Immediate Actions Required
- Upgrade CubeCart to version 6.7.2, which removes the dependency on the client-supplied Host header for CC_STORE_URL.
- Invalidate any outstanding password-reset tokens issued by vulnerable installations.
- Force administrators to rotate credentials and review recent account activity for unauthorized password changes.
Patch Information
The vulnerability is fixed in CubeCart 6.7.2. Refer to the GitHub Security Advisory GHSA-7pvc-gxc4-chmc for vendor remediation details and changelog references.
Workarounds
- Configure the upstream web server or reverse proxy to reject or normalize requests whose Host header does not match the canonical store domain.
- Pin CC_STORE_URL to a hard-coded value in CubeCart's configuration where the deployment allows manual override.
- Strip or validate X-Forwarded-Host headers at the load balancer to prevent header smuggling from upstream proxies.
# Example nginx configuration to enforce canonical Host header
server {
listen 443 ssl;
server_name store.example.com;
if ($host != "store.example.com") {
return 444;
}
location / {
proxy_set_header Host store.example.com;
proxy_pass http://cubecart_backend;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
