Description
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.
Published: 2026-03-06
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover via Password Reset Poisoning
Action: Immediate Patch
AI Analysis

Impact

An attacker who can control the HTTP Host header during a password reset or account creation request can cause the application to send a confirmation link that points to a domain chosen by the attacker. When a user opens the link, the reset token is included in a request to the attacker‑controlled domain, exposing the token to the attacker. The attacker can then use the stolen token to log into the affected IRRd instance, gaining full access to the account and the ability to modify RPSL objects and perform other privileged actions. The vulnerability is mitigated for users with two‑factor authentication enabled for override accounts, but ordinary accounts remain vulnerable.

Affected Systems

This flaw exists in the IRRd daemon from the irrdnet project, version 4 of the Internet Routing Registry database server. It affects all installations of IRRd 4.4.0 through (but not including) 4.4.5 and 4.5.0 through (but not including) 4.5.1. The issue was fixed in release 4.4.5 and again in 4.5.1, which patch the host‑header handling in the web UI.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating a high severity. The exploitation probability is low, with an EPSS score of less than 1%, and it is not listed in the CISA KEV catalog. Likely attack vectors involve remotely manipulating the Host header in HTTP requests sent to the web interface; based on the description, the attacker does not need privileged credentials to begin the attack. Once the reset link is poisoned, the attacker can acquire a valid authentication token and take over the account if two‑factor authentication is not enforced.

Generated by OpenCVE AI on April 17, 2026 at 12:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the IRRd daemon to version 4.4.5 or later, or to 4.5.1 or later, which fix the host header validation flaw.
  • If an upgrade is not yet possible, configure the web server or a WAF to reject or rewrite unexpected Host header values and enforce strict host header validation.
  • Enable or enforce two‑factor authentication for all accounts, and review permissions so that only minimal privileges are granted to each user.

Generated by OpenCVE AI on April 17, 2026 at 12:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-22m3-c7vp-49fj IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links
History

Tue, 21 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Internet Routing Registry Daemon Project
Internet Routing Registry Daemon Project internet Routing Registry Daemon
CPEs cpe:2.3:a:internet_routing_registry_daemon_project:internet_routing_registry_daemon:*:*:*:*:*:*:*:*
Vendors & Products Internet Routing Registry Daemon Project
Internet Routing Registry Daemon Project internet Routing Registry Daemon

Fri, 06 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Irrdnet
Irrdnet irrd
Vendors & Products Irrdnet
Irrdnet irrd

Fri, 06 Mar 2026 04:45:00 +0000

Type Values Removed Values Added
Description Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.
Title IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links
Weaknesses CWE-601
CWE-640
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Internet Routing Registry Daemon Project Internet Routing Registry Daemon
Irrdnet Irrd
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T16:07:02.713Z

Reserved: 2026-03-02T21:43:19.927Z

Link: CVE-2026-28681

cve-icon Vulnrichment

Updated: 2026-03-06T15:58:16.561Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-06T05:16:37.710

Modified: 2026-04-21T14:45:02.460

Link: CVE-2026-28681

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:30:06Z

Weaknesses