CVE-2026-28681

Name of the Vulnerable Software and Affected Versions Internet Routing Registry daemon versions 4.4.0 through 4.4.5 Internet Routing Registry daemon versions 4.5.0 through 4.5.1

Description The Internet Routing Registry daemon (IRRD) is susceptible to a manipulation issue affecting password reset and account creation requests. An attacker can exploit this by manipulating the HTTP Host header, causing the confirmation link in the resulting email to point to a domain controlled by the attacker. Successfully opening this link transfers a token to the attacker, enabling account takeover on the legitimate IRRD instance. A compromised account allows modification of RPSL objects and other account actions. Two-factor authentication, when configured for users with override access, prevents login even after a successful password reset. The issue stems from email links generated from the HTTP request context, allowing manipulation of the Host header to redirect links to an attacker-controlled domain, a technique known as password reset poisoning.

Recommendations Internet Routing Registry daemon versions 4.4.0 through 4.4.5 should be upgraded to version 4.4.5. Internet Routing Registry daemon versions 4.5.0 through 4.5.1 should be upgraded to version 4.5.1. As a workaround, configure a reverse proxy (such as nginx) to reject requests where the Host header does not match the expected hostname. Enable two-factor authentication for all users to prevent account takeover, even if a password reset token is compromised.