Critical Host Header Injection Vulnerability in Poweradmin (CVE-2026-54588)

A critical vulnerability identified as CVE-2026-54588 affects Poweradmin, a web-based DNS administration tool for PowerDNS server. The flaw allows unauthenticated attackers to exploit the HTTP_HOST request header to manipulate callback URLs in OIDC, SAML, and logout flows. This can lead to account takeover without requiring user credentials. Versions prior to 4.2.4 and 4.3.3 are vulnerable, and a patch is available in these versions. Currently, there is no evidence of public proof-of-concept exploits or active exploitation. The vulnerability has been assigned a CVSS base score of 9.6, indicating its critical nature. Red Hat has confirmed that this vulnerability does not affect any of its supported products. Security professionals are advised to upgrade to the patched versions and implement additional network-level controls.

Key Points: • CVE-2026-54588 is a critical vulnerability with a CVSS score of 9.6. • Unauthenticated attackers can exploit the HTTP_HOST header for account takeover. • Patches are available in Poweradmin versions 4.2.4 and 4.3.3.