Description
User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.
Published: 2026-04-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via DNS Rebinding and Arbitrary DNS lookups
Action: Immediate Patch
AI Analysis

Impact

The vulnerability originates from a user‑controlled HTTP header in older releases of Fortra's GoAnywhere MFT. By supplying a specially crafted header, an attacker can cause the server to perform DNS lookups against arbitrary domain names. This can lead to DNS rebinding attacks and leakage of internal host information. The weakness is a form of CWE‑74, reflecting inadequate validation or encoding of external input. In practice, an adversary could determine internal IP addresses or exploit other components that rely on DNS resolution, leading to information disclosure or facilitating further attacks.

Affected Systems

Fortra GoAnywhere MFT versions prior to 7.10.0 are impacted. Users should verify their installed version and upgrade to the remediated release.

Risk and Exploitability

The CVSS score of 6.5 denotes a moderate severity. Exploitation requires the attacker to send HTTP requests with a manipulated header to the MFT server; therefore, it is limited to network‑reachable endpoints. As EPSS information is unavailable, the attack probability cannot be quantified, and the vulnerability is not currently listed in the CISA KEV catalog, suggesting no public exploitation is known. Nonetheless, because DNS rebinding can expose internal systems, administrators should treat this as a risk that can be mitigated by patching.

Generated by OpenCVE AI on April 22, 2026 at 03:06 UTC.

Remediation

Vendor Solution

Upgrade to a remediated version (version 7.10.0 or later).

OpenCVE Recommended Actions

  • Upgrade to GoAnywhere MFT version 7.10.0 or later, which removes the vulnerable header handling logic.
  • Restrict or validate incoming HTTP headers so that only trusted values are accepted, preventing the header from being used for arbitrary DNS queries.
  • Enable monitoring of DNS request patterns to detect anomalous or unexplained lookups that might indicate exploitation.

Generated by OpenCVE AI on April 22, 2026 at 03:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Fortra
Fortra goanywhere Mft
Vendors & Products Fortra
Fortra goanywhere Mft

Tue, 21 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.
Title User‑Controlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups
Weaknesses CWE-74
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}

Subscriptions

Fortra Goanywhere Mft
cve-icon MITRE

Status: PUBLISHED

Assigner: Fortra

Published:

Updated: 2026-04-21T15:00:35.492Z

Reserved: 2026-01-16T21:03:16.471Z

Link: CVE-2026-1089

cve-icon Vulnrichment

Updated: 2026-04-21T15:00:31.947Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T15:16:35.943

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-1089

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:46:25Z

Weaknesses