CVE-2026-28681 (GCVE-0-2026-28681)
Vulnerability from cvelistv5 – Published: 2026-03-06 04:35 – Updated: 2026-03-06 16:07
VLAI?
Title
IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links
Summary
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.
Severity ?
8.1 (High)
CWE
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28681",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-06T15:58:15.412745Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T16:07:02.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "irrd",
"vendor": "irrdnet",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.4.0, \u003c 4.4.5"
},
{
"status": "affected",
"version": "\u003e= 4.5.0, \u003c 4.5.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account\u0027s mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-06T04:35:59.899Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj"
},
{
"name": "https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb"
},
{
"name": "https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c"
},
{
"name": "https://irrd.readthedocs.io/en/stable/releases/4.4.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://irrd.readthedocs.io/en/stable/releases/4.4.5"
},
{
"name": "https://irrd.readthedocs.io/en/stable/releases/4.5.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://irrd.readthedocs.io/en/stable/releases/4.5.1"
}
],
"source": {
"advisory": "GHSA-22m3-c7vp-49fj",
"discovery": "UNKNOWN"
},
"title": "IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28681",
"datePublished": "2026-03-06T04:35:59.899Z",
"dateReserved": "2026-03-02T21:43:19.927Z",
"dateUpdated": "2026-03-06T16:07:02.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-28681",
"date": "2026-04-24",
"epss": "0.00034",
"percentile": "0.09909"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-28681\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-06T05:16:37.710\",\"lastModified\":\"2026-04-21T14:45:02.460\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account\u0027s mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.\"},{\"lang\":\"es\",\"value\":\"Demonio de Internet Routing Registry versi\u00f3n 4 es un servidor de base de datos IRR, que procesa objetos IRR en formato RPSL. Desde la versi\u00f3n 4.4.0 hasta antes de la versi\u00f3n 4.4.5 y desde la versi\u00f3n 4.5.0 hasta antes de la versi\u00f3n 4.5.1, un atacante puede manipular el encabezado HTTP Host en una solicitud de restablecimiento de contrase\u00f1a o creaci\u00f3n de cuenta. El enlace de confirmaci\u00f3n en el correo electr\u00f3nico resultante puede entonces apuntar a un dominio controlado por el atacante. Abrir el enlace en el correo electr\u00f3nico es suficiente para pasar el token al atacante, quien puede entonces usarlo en la instancia real de IRRD para tomar control de la cuenta. Una cuenta comprometida puede entonces ser utilizada para modificar objetos RPSL mantenidos por los mntners de la cuenta y realizar otras acciones de la cuenta. Si el usuario ten\u00eda la autenticaci\u00f3n de dos factores configurada, lo cual es requerido para usuarios con acceso de anulaci\u00f3n, un atacante no puede iniciar sesi\u00f3n, incluso despu\u00e9s de restablecer la contrase\u00f1a con \u00e9xito. Este problema ha sido parcheado en las versiones 4.4.5 y 4.5.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-601\"},{\"lang\":\"en\",\"value\":\"CWE-640\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:internet_routing_registry_daemon_project:internet_routing_registry_daemon:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.4.0\",\"versionEndExcluding\":\"4.4.5\",\"matchCriteriaId\":\"574BCDBF-F12E-409C-B62A-5EB3A0451BD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:internet_routing_registry_daemon_project:internet_routing_registry_daemon:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.5.0\",\"versionEndExcluding\":\"4.5.1\",\"matchCriteriaId\":\"D3CAA62B-54C2-4D17-84A3-33366F007E0E\"}]}]}],\"references\":[{\"url\":\"https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://irrd.readthedocs.io/en/stable/releases/4.4.5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://irrd.readthedocs.io/en/stable/releases/4.5.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-28681\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-06T15:58:15.412745Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-06T15:58:16.561Z\"}}], \"cna\": {\"title\": \"IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links\", \"source\": {\"advisory\": \"GHSA-22m3-c7vp-49fj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"irrdnet\", \"product\": \"irrd\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.4.0, \u003c 4.4.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 4.5.0, \u003c 4.5.1\"}]}], \"references\": [{\"url\": \"https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj\", \"name\": \"https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb\", \"name\": \"https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c\", \"name\": \"https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://irrd.readthedocs.io/en/stable/releases/4.4.5\", \"name\": \"https://irrd.readthedocs.io/en/stable/releases/4.4.5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://irrd.readthedocs.io/en/stable/releases/4.5.1\", \"name\": \"https://irrd.readthedocs.io/en/stable/releases/4.5.1\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account\u0027s mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-601\", \"description\": \"CWE-601: URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-640\", \"description\": \"CWE-640: Weak Password Recovery Mechanism for Forgotten Password\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-06T04:35:59.899Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-28681\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-06T16:07:02.713Z\", \"dateReserved\": \"2026-03-02T21:43:19.927Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-06T04:35:59.899Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…