Security Flaw in AzuraCast Web Radio Management Suite
CVE-2026-42606

8.1HIGH

Key Information:

Vendor

Azuracast

Status
Azuracast
Vendor
CVE Published:
9 May 2026

What is CVE-2026-42606?

AzuraCast, a self-hosted web radio management suite, has a vulnerability due to its ApplyXForwarded middleware, which improperly trusts the X-Forwarded-Host HTTP header without a secure proxy allowlist. This oversight allows unauthenticated attackers to manipulate the password reset process by injecting malicious headers. When a user interacts with the compromised reset link, their token can be captured by the attacker, leading to unauthorized access and potentially compromising 2FA settings. This vulnerability has been addressed in version 0.23.6.

Affected Version(s)

AzuraCast < 0.23.6

References

https://github.com/AzuraCast/AzuraCast/security/advisorie...
x_refsource_CONFIRM
https://github.com/AzuraCast/AzuraCast/commit/7c622a18b45...
x_refsource_MISC
https://github.com/AzuraCast/AzuraCast/releases/tag/0.23.6
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.