DNS Administration Tool Vulnerability in Poweradmin by PowerDNS
CVE-2026-54588

9.6CRITICAL

Key Information:

Vendor

Poweradmin

Status
Poweradmin
Vendor
CVE Published:
23 June 2026

What is CVE-2026-54588?

Poweradmin, a web-based DNS administration tool for PowerDNS, is vulnerable due to improper validation of the HTTP_HOST request header. This flaw allows an unauthenticated attacker to manipulate the redirect_uri in OIDC, SAML, and logout flows used during authentication. By redirecting the authorization code to a malicious server, attackers can achieve full account takeover without needing the victim's credentials. It is crucial for users of Poweradmin to upgrade to versions 4.2.4 or 4.3.3, which address this security issue.

Affected Version(s)

poweradmin < 4.2.4 < 4.2.4

poweradmin >= 4.3.0, < 4.3.3 < 4.3.0, 4.3.3

References

https://github.com/poweradmin/poweradmin/security/advisor...
x_refsource_CONFIRM
https://github.com/poweradmin/poweradmin/releases/tag/v4.2.4
x_refsource_MISC
https://github.com/poweradmin/poweradmin/releases/tag/v4.3.3
x_refsource_MISC

CVSS V3.1

Score:
9.6
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.