CVE-2026-28681— IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links

IRRd: web UI host header injection allows password reset poisoning via attacker-controlled email links

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

指向未可信站点的URL重定向(开放重定向)

Internet Routing Registry Daemon 授权问题漏洞

Internet Routing Registry Daemon（IRRd）是一个路由注册表守护程序。 Internet Routing Registry daemon 4 4.4.0至4.4.5之前版本和4.5.0至4.5.1之前版本存在授权问题漏洞，该漏洞源于攻击者可操纵密码重置或账户创建请求中的HTTP Host标头，可能导致账户接管。

N/A

N/A