cbcvebase.
CVE-2026-54588
published 2026-06-23

CVE-2026-54588: Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header…

PriorityP265critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAL
EPSS
0.31%
22.9th percentile
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
poweradminpoweradmin< 4.2.44.2.4
poweradminpoweradmin

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for HTTP requests to Poweradmin authentication endpoints (OIDC, SAML, logout flows) where the HTTP_HOST header value differs from the legitimate server hostname, which may indicate host header injection attempts to poison the redirect_uri parameter.
  • Inspect outbound redirect_uri values sent to the Identity Provider from Poweradmin; a redirect_uri pointing to an external or unexpected domain is a strong indicator of active exploitation.
  • Flag unauthenticated requests to Poweradmin OIDC/SAML/logout callback endpoints that carry a manipulated or spoofed Host header (e.g., Host header not matching the configured server FQDN).
  • ·Versions prior to 4.2.4 (v4.2.x branch) and 4.3.3 (v4.3.x branch) are vulnerable; upgrade to 4.2.4 or 4.3.3 to patch the issue. Ensure the patched version is deployed before relying solely on network-level detections.
  • ·The vulnerability affects all three authentication flows (OIDC, SAML, and logout); all three must be assessed if any are enabled in the Poweradmin deployment.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.