EXECUTIVE SUMMARY:
CVE-2026-54588 with a CVSS score of 9.6 is a host header injection vulnerability in Poweradmin, the web interface that manages PowerDNS zones, affecting all versions prior to 4.2.4 and the 4.3.x series before 4.3.3. Poweradmin constructs OIDC redirect_uri, SAML Assertion Consumer Service/Single Logout URLs, and logout redirects directly from the HTTP Host header without validation, so an attacker can send a request with a spoofed Host value that causes the application to forward authentication tokens to an attacker‑controlled domain. The exploit requires the victim to initiate a login flow but no valid credentials; the attacker only needs a reachable server to capture the authorization code and then exchange it for a Poweradmin admin session. Once the attacker obtains an admin account, they gain complete control over DNS records, enabling domain hijacking, email interception, DKIM signature forgery, and theft of wildcard SSL certificates. The business impact includes loss of data integrity, service disruption, potential phishing campaigns, and regulatory penalties for compromised user data. Exploitation is contingent on the target being accessible, the victim starting authentication, and the attacker controlling the redirect endpoint.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-54588 with a CVSS score of 9.6 is a host header injection vulnerability in Poweradmin, the web interface that manages PowerDNS zones, affecting all versions prior to 4.2.4 and the 4.3.x series before 4.3.3. Poweradmin constructs OIDC redirect_uri, SAML Assertion Consumer Service/Single Logout URLs, and logout redirects directly from the HTTP Host header without validation, so an attacker can send a request with a spoofed Host value that causes the application to forward authentication tokens to an attacker‑controlled domain. The exploit requires the victim to initiate a login flow but no valid credentials; the attacker only needs a reachable server to capture the authorization code and then exchange it for a Poweradmin admin session. Once the attacker obtains an admin account, they gain complete control over DNS records, enabling domain hijacking, email interception, DKIM signature forgery, and theft of wildcard SSL certificates. The business impact includes loss of data integrity, service disruption, potential phishing campaigns, and regulatory penalties for compromised user data. Exploitation is contingent on the target being accessible, the victim starting authentication, and the attacker controlling the redirect endpoint.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/poweradmin-host-header-injection/