Description
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.
Published: 2026-06-23
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A host header injection flaw in Poweradmin allows an attacker to control the HTTP_HOST request header. The application uses this header without validation to build redirect URIs in its OIDC, SAML, and logout authentication flows. By injecting a malicious value, an unauthenticated attacker can poison the redirect_uri sent to the identity provider, causing the victim’s authorization code to be sent to an attacker‑controlled endpoint. This results in full account takeover with no credentials required and is categorized as CWE‑20 and CWE‑601.

Affected Systems

The affected product is Poweradmin, a web‑based DNS administration tool for PowerDNS. Versions older than 4.2.4 and older than 4.3.3 contain the vulnerability; the releases 4.2.4 and 4.3.3 contain the fix.

Risk and Exploitability

The CVSS score of 9.6 places this vulnerability in the high‑severity range. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog. The attack can be carried out by sending a crafted HTTP request to the application over HTTP or HTTPS, altering the Host header, and the attacker requires no prior authentication. Given the high complexity of the vulnerability and the importance of the affected application, the risk is considered very high.

Generated by OpenCVE AI on June 24, 2026 at 09:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Poweradmin patches, version 4.2.4 or 4.3.3, to eliminate the host header injection.
  • Configure the web server to ignore or sanitize the Host header, or ensure that only known, trusted hostnames are accepted by the application.
  • Implement a whitelist of allowed redirect URIs for OIDC, SAML, and logout flows to prevent malicious redirects.

Generated by OpenCVE AI on June 24, 2026 at 09:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.
Title Poweradmin has Host Header Injection in OIDC redirect_uri, SAML ACS/SLO URL, and Logout Redirect Construction.
Weaknesses CWE-20
CWE-601
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-24T12:20:59.442Z

Reserved: 2026-06-15T19:15:27.345Z

Link: CVE-2026-54588

cve-icon Vulnrichment

Updated: 2026-06-24T12:20:02.304Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T09:30:06Z

Weaknesses
  • CWE-20

    Improper Input Validation

  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')