Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.
AnalysisAI
User-controlled HTTP headers in Fortra GoAnywhere MFT prior to version 7.10.0 enable remote unauthenticated attackers to trigger arbitrary DNS lookups and execute DNS rebinding attacks, leading to information disclosure and potential service degradation. The vulnerability exploits improper handling of attacker-supplied header values in network requests, allowing reconnaissance of internal infrastructure and circumvention of network segmentation controls.
Technical ContextAI
GoAnywhere MFT, a managed file transfer solution, fails to properly validate or sanitize HTTP headers supplied by remote clients. The root cause (CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates the application passes unsanitized header data to backend DNS resolution functions or URL parsing libraries without filtering user-controlled input. This allows attackers to inject arbitrary hostnames into DNS queries, which the server then resolves using its own network stack. DNS rebinding exploits leverage this to bypass same-origin policy restrictions by resolving attacker-controlled domains to internal IP addresses (127.0.0.1, 10.0.0.0/8, etc.), enabling the attacker to perform server-side request forgery (SSRF) attacks against internal services. The vulnerability is automatable (per SSVC) because the attack requires only HTTP header manipulation, no authentication, and can be scripted easily.
RemediationAI
Upgrade Fortra GoAnywhere MFT to version 7.10.0 or later immediately. This is the vendor-released patch that addresses the HTTP header validation flaw. For organizations unable to patch immediately, implement network-level controls: restrict HTTP/HTTPS access to GoAnywhere MFT to only trusted source IP ranges, disable or firewall any public Internet exposure of the MFT administration interface, and monitor DNS query logs for suspicious patterns (e.g., resolution of private IP ranges or repeated queries to attacker-controlled domains). If the MFT application supports custom HTTP header filtering or WAF integration, configure rules to validate HTTP headers against a whitelist of expected values and reject suspicious patterns. Note: network-level mitigations do not eliminate the vulnerability but reduce its surface - patching is the definitive fix. Consult Fortra's security advisory FI-2026-005 for version-specific upgrade procedures and any additional compensating controls documented by the vendor.
More in Goanywhere Mft
View allSFTP authentication in GoAnywhere MFT prior to 7.10.0 allows remote unauthenticated attackers to bypass login attempt li
Fortra GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 use a static initialization v
SSH key brute-force attack against GoAnywhere MFT SFTP service allows remote unauthenticated attackers to compromise Web
Improper session timeout handling in Fortra GoAnywhere MFT prior to version 7.10.0 allows unauthenticated remote attacke
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24130
GHSA-6x5f-r479-qh4p