Skip to main content

Poweradmin CVE-2026-54588

CRITICAL
Improper Input Validation (CWE-20)
2026-06-23 GitHub_M
9.6
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
vuln.today AI
9.3 CRITICAL

Network-reachable Host header poisoning, no privileges, victim click required (UI:R); scope changes to IdP identity (S:C); no availability impact so A:N rather than A:L.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 23, 2026 - 22:45 vuln.today
Analysis Generated
Jun 23, 2026 - 22:45 vuln.today

DescriptionCVE.org

Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled HTTP_HOST request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the redirect_uri sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.

AnalysisAI

Account takeover in Poweradmin versions prior to 4.2.4 and 4.3.3 allows remote unauthenticated attackers to hijack OIDC and SAML authentication flows by poisoning the HTTP Host header used to construct the redirect_uri sent to the Identity Provider. By tricking a victim into clicking a crafted login link, the attacker causes the IdP to deliver the authorization code to an attacker-controlled host, yielding full account access with no credentials required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Poweradmin instance using SSO
Delivery
Craft login URL with attacker Host header
Exploit
Send phishing link to operator
Install
Victim authenticates at IdP
C2
IdP redirects code to attacker server
Execute
Exchange code for session
Impact
Take over DNS-admin account

Vulnerability AssessmentAI

Exploitation The Poweradmin instance must be configured with OIDC, SAML, or the affected logout flow as an authentication option, and interface.application_url must not be set (so the code falls back to the request Host header). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS 3.1 vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L (9.6 Critical) is largely defensible: the attack is network-reachable, requires no privileges, and crosses a scope boundary into the IdP-authenticated identity. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a victim Poweradmin operator a phishing link to the legitimate Poweradmin login endpoint but with an HTTP Host header (or proxy-routed Host) pointing to attacker.example. Poweradmin builds the OIDC redirect_uri using that Host, the IdP authenticates the victim and 302-redirects the authorization code to attacker.example, and the attacker exchanges the code for a valid session - taking over the victim's DNS-admin account. …
Remediation Vendor-released patch: upgrade to Poweradmin 4.2.4 (https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4) or 4.3.3 (https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3), and after upgrading explicitly set interface.application_url in the configuration to the canonical externally reachable URL so callback URLs are anchored server-side rather than falling back to request data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Poweradmin deployments, current versions, and count of affected users; assess which systems use OIDC or SAML authentication. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54588 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy