CVE-2026-54588
published 2026-06-23CVE-2026-54588: Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header…
PriorityP265critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAL
EPSS
0.31%
22.9th percentile
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| poweradmin | poweradmin | < 4.2.4 | 4.2.4 |
| poweradmin | poweradmin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for HTTP requests to Poweradmin authentication endpoints (OIDC, SAML, logout flows) where the HTTP_HOST header value differs from the legitimate server hostname, which may indicate host header injection attempts to poison the redirect_uri parameter. ↗
- →Inspect outbound redirect_uri values sent to the Identity Provider from Poweradmin; a redirect_uri pointing to an external or unexpected domain is a strong indicator of active exploitation. ↗
- →Flag unauthenticated requests to Poweradmin OIDC/SAML/logout callback endpoints that carry a manipulated or spoofed Host header (e.g., Host header not matching the configured server FQDN). ↗
- ·Versions prior to 4.2.4 (v4.2.x branch) and 4.3.3 (v4.3.x branch) are vulnerable; upgrade to 4.2.4 or 4.3.3 to patch the issue. Ensure the patched version is deployed before relying solely on network-level detections. ↗
- ·The vulnerability affects all three authentication flows (OIDC, SAML, and logout); all three must be assessed if any are enabled in the Poweradmin deployment. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2026-54588 poweradmin: Poweradmin: Account takeover via malicious redirect URI in authentication flows [fedora-all]
bugzilla·2026-06-24·CVSS 9.6
CVE-2026-54588 [CRITICAL] CVE-2026-54588 poweradmin: Poweradmin: Account takeover via malicious redirect URI in authentication flows [fedora-all]
CVE-2026-54588 poweradmin: Poweradmin: Account takeover via malicious redirect URI in authentication flows [fedora-all]
Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Bugzilla
CVE-2026-54588 Poweradmin: Poweradmin: Account takeover via malicious redirect URI in authentication flows
bugzilla·2026-06-23·CVSS 9.6
CVE-2026-54588 [CRITICAL] CVE-2026-54588 Poweradmin: Poweradmin: Account takeover via malicious redirect URI in authentication flows
CVE-2026-54588 Poweradmin: Poweradmin: Account takeover via malicious redirect URI in authentication flows
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled `HTTP_HOST` request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the `redirect_uri` sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.
2026-06-23
Published