CVE-2026-42606

Name of the Vulnerable Software and Affected Versions AzuraCast versions prior to 0.23.6

Description The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header without a trusted proxy allowlist. An unauthenticated attacker can exploit this by injecting the X-Forwarded-Host header when triggering the forgot-password flow, poisoning the password reset URL sent to a user. If the victim clicks the link, their reset token is exfiltrated to the attacker's server. The attacker can then use this token on the legitimate instance to reset the victim's password and destroy their two-factor authentication (2FA) configuration, resulting in full account takeover.

Recommendations Update to version 0.23.6. As a temporary workaround, restrict access to the ApplyXForwarded middleware or ensure that the X-Forwarded-Host header is stripped or validated by a trusted reverse proxy before reaching the application.