HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54588Published Modified CNA GitHub_M

CVE-2026-54588: Poweradmin has Host Header Injection in OIDC redirect_uri, SAML ACS/SLO URL, and Logout Redirect Construction.

Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.

Metrics

CVSS v3.1
9.6
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Host header injection in Poweradmin (a web-based DNS administration tool for PowerDNS) allows an unauthenticated remote attacker to poison the redirect_uri used in OIDC, SAML, and logout authentication flows. By manipulating the HTTP_HOST header, the attacker causes the identity provider to redirect a victim's authorization code to an attacker-controlled server, requiring only that the victim clicks through a crafted authentication link. Successful exploitation results in full account takeover with no credentials required. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment fix versions are confirmed upstream.

HarborGuard Coverage

Detection

Detection of CVE-2026-54588 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Poweradmin, in both registry scans and CI pipeline checks.

Available
Triage

Triage is available with the full CVSS v3.1 score of 9.6 (Critical), weighted against each customer environment's compliance policy to prioritize routing; findings are surfaced to the appropriate team inbox within each customer organization based on ownership and policy configuration.

Available
Patch

Because no fix versions have been confirmed upstream at this time, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Poweradmin ships a verified fix. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once the upstream patch is published.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Poweradmin web interface over the network to inject a malicious HTTP_HOST header into authentication flow requests.

  • AuthenticationNot required

    No account or credentials are needed; the attack is carried out entirely by an unauthenticated party who crafts a poisoned authentication link.

  • Victim interactionRequired

    A legitimate user must follow the attacker-crafted authentication link, triggering the identity provider redirect that delivers the authorization code to the attacker.

  • Attack complexityDetail

    Exploit conditions are straightforward and reliable: no race conditions or special environment state are required beyond delivering the poisoned link to a victim.

Blast Radius

  • Reads the victim's authorization code redirected from the identity provider, enabling the attacker to complete authentication as that user and access any resource the account can reach.
  • Modifies DNS zone data and records managed through Poweradmin, because the attacker holds a fully authenticated session after takeover.
  • Gains the ability to alter or delete PowerDNS server configuration through the compromised account, depending on the account's privilege level.
  • Causes partial service disruption to availability if the attacker uses the takeover to make destructive changes to DNS records or zone data.

How HarborGuard Handles This

Available on HarborGuard: this advisory is monitored on every ingest cycle because no upstream fix has been published yet. In the interim, customers are encouraged to apply compensating controls such as network-policy isolation that restricts inbound access to Poweradmin to trusted IP ranges, egress filtering to block unauthorized redirect destinations at the perimeter, and configuration of the identity provider to enforce a strict allowlist of permitted redirect_uri values. When Poweradmin publishes versions 4.2.4 or 4.3.3 (or confirms equivalent fixes), HarborGuard will make a patched-image rebuild available immediately. For customers with auto-remediation enabled, this triggers an automatic rebuild, regression test run, and a PR opened against affected workloads, with no manual steps required.

See how HarborGuard automates this
Affected packages
  • poweradmin / poweradmin
    < 4.2.4 · >= 4.3.0, < 4.3.3
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
References