FKIE_CVE-2026-28681

Vulnerability from fkie_nvd - Published: 2026-03-06 05:16 - Updated: 2026-04-21 14:45
Severity ?
8.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Summary
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.
References
security-advisories@github.comhttps://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbbPatch
security-advisories@github.comhttps://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000cPatch
security-advisories@github.comhttps://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fjMitigation, Vendor Advisory
security-advisories@github.comhttps://irrd.readthedocs.io/en/stable/releases/4.4.5Release Notes
security-advisories@github.comhttps://irrd.readthedocs.io/en/stable/releases/4.5.1Release Notes
Impacted products
Vendor Product Version
internet_routing_registry_daemon_project internet_routing_registry_daemon *
internet_routing_registry_daemon_project internet_routing_registry_daemon *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:internet_routing_registry_daemon_project:internet_routing_registry_daemon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "574BCDBF-F12E-409C-B62A-5EB3A0451BD1",
              "versionEndExcluding": "4.4.5",
              "versionStartIncluding": "4.4.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:internet_routing_registry_daemon_project:internet_routing_registry_daemon:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "D3CAA62B-54C2-4D17-84A3-33366F007E0E",
              "versionEndExcluding": "4.5.1",
              "versionStartIncluding": "4.5.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account\u0027s mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1."
    },
    {
      "lang": "es",
      "value": "Demonio de Internet Routing Registry versi\u00f3n 4 es un servidor de base de datos IRR, que procesa objetos IRR en formato RPSL. Desde la versi\u00f3n 4.4.0 hasta antes de la versi\u00f3n 4.4.5 y desde la versi\u00f3n 4.5.0 hasta antes de la versi\u00f3n 4.5.1, un atacante puede manipular el encabezado HTTP Host en una solicitud de restablecimiento de contrase\u00f1a o creaci\u00f3n de cuenta. El enlace de confirmaci\u00f3n en el correo electr\u00f3nico resultante puede entonces apuntar a un dominio controlado por el atacante. Abrir el enlace en el correo electr\u00f3nico es suficiente para pasar el token al atacante, quien puede entonces usarlo en la instancia real de IRRD para tomar control de la cuenta. Una cuenta comprometida puede entonces ser utilizada para modificar objetos RPSL mantenidos por los mntners de la cuenta y realizar otras acciones de la cuenta. Si el usuario ten\u00eda la autenticaci\u00f3n de dos factores configurada, lo cual es requerido para usuarios con acceso de anulaci\u00f3n, un atacante no puede iniciar sesi\u00f3n, incluso despu\u00e9s de restablecer la contrase\u00f1a con \u00e9xito. Este problema ha sido parcheado en las versiones 4.4.5 y 4.5.1."
    }
  ],
  "id": "CVE-2026-28681",
  "lastModified": "2026-04-21T14:45:02.460",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-06T05:16:37.710",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://irrd.readthedocs.io/en/stable/releases/4.4.5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://irrd.readthedocs.io/en/stable/releases/4.5.1"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-601"
        },
        {
          "lang": "en",
          "value": "CWE-640"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.