Description
AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.
Published: 2026-05-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in AzuraCast allows an attacker to poison the password reset link by injecting an unsolicited X-Forwarded-Host HTTP header. The poisoned link exfiltrates the reset token to the attacker, who then resets the victim’s password and removes 2FA, resulting in full account takeover. This is a header manipulation flaw (CWE‑640) that permits unauthorized access without authentication.

Affected Systems

The flaw exists in the AzuraCast web radio management suite before version 0.23.6. Any self‑hosted deployment using an earlier release is vulnerable. The issue was fixed in release 0.23.6 and later.

Risk and Exploitability

The vulnerability scores a CVSS of 8.1, indicating a high‑severity condition. No EPSS data is available, but the exploit requires only that an attacker can send an HTTP request to the instance during the reset‑password workflow; authentication is not required. The lack of a KEV listing suggests no publicly known exploits yet, yet the attack path is straightforward and could be performed by anyone with network access to the front‑end. Consequently, the risk is medium‑high, with the potential for full compromise of user accounts.

Generated by OpenCVE AI on May 9, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AzuraCast to version 0.23.6 or newer, where the ApplyXForwarded middleware has been hardened.
  • If an upgrade is not immediately feasible, configure the web server or application to ignore or strip the X-Forwarded-Host header for unauthenticated requests, or restrict trusted proxies to known addresses.
  • Verify that password‑reset emails and links point to the expected domain name and that no unexpected host header is used; if inconsistencies are detected, manually reset affected accounts and re‑enable 2FA.

Generated by OpenCVE AI on May 9, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gv7r-3mr9-h5x8 AzuraCast has Password Reset Poisoning via Untrusted X-Forwarded-Host Header that Leads to Account Takeover and 2FA Bypass
History

Sat, 09 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Azuracast
Azuracast azuracast
Vendors & Products Azuracast
Azuracast azuracast

Sat, 09 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description AzuraCast is a self-hosted, all-in-one web radio management suite. Prior to version 0.23.6, the ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover. This issue has been patched in version 0.23.6.
Title AzuraCast: Password Reset Poisoning via Untrusted X-Forwarded-Host Header Leads to Account Takeover and 2FA Bypass
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Azuracast Azuracast
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-09T19:43:35.866Z

Reserved: 2026-04-29T00:31:15.725Z

Link: CVE-2026-42606

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T20:16:30.170

Modified: 2026-05-09T20:16:30.170

Link: CVE-2026-42606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T21:30:42Z

Weaknesses