CVE-2026-42606 Unknown Vendor CVE debrief

Who should care

AzuraCast operators, administrators, and security teams should prioritize this if their deployment exposes password reset functionality to users and sits behind a reverse proxy or any network path where forwarded headers may be accepted.

Technical summary

The vulnerable middleware accepted X-Forwarded-Host from the client without verifying that the request came through a trusted proxy. During the forgotten-password flow, that host value could be reflected into the generated reset URL. Because the reset link could be poisoned before it reached the victim, the victim’s click could disclose the reset token to an attacker-controlled server. The attack requires no authentication, but it does require user interaction. The supplied metadata maps the issue to CWE-640 and CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N.

Defensive priority

High

Recommended defensive actions

• Upgrade AzuraCast to version 0.23.6 or later.
• Review reverse-proxy and application handling of forwarded headers; only trust X-Forwarded-Host when the request is known to come from an approved proxy.
• Validate that password reset links are generated with the expected canonical host and that untrusted host headers cannot alter them.
• Invalidate and reissue any exposed password-reset tokens if abuse is suspected.
• Encourage affected users to reset passwords and confirm 2FA settings after remediation if there is any indication of compromise.

Evidence notes

The debrief is based on the CVE description and the linked GitHub Security Advisory, commit, and release record. The official NVD entry lists the issue as received on 2026-05-09 and includes the CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N plus CWE-640. No additional exploit mechanics beyond the supplied sources are included.

Official resources