- CVE: CVE-2026-54588
- CVSS: 9.6 (Critical · CVSSv3)
- Product: poweradmin
- Affected: < 4.2.4, >= 4.3.0, < 4.3.3
- Impact: Poweradmin has Host Header Injection in OIDC redirect_uri, SAML ACS/SLO URL, and Logout Redirect Construction.
- Status: No confirmed exploitation yet
- EPSS: 0.3% (30-day)
- Action: See vendor advisory
TL;DR
A critical flaw in Poweradmin lets attackers take over DNS administrator accounts. Tracked as CVE-2026-54588, it scores 9.6 on the CVSS scale. The bug comes from a Poweradmin host header injection in its login flows.
Why it matters
Poweradmin manages PowerDNS zones for many organizations. A stolen admin account hands attackers full DNS control. From there, they can hijack inbound email and intercept password-reset messages. They can also forge DKIM signatures or steal wildcard SSL certificates. Therefore, a single account takeover can expose an entire domain.
How the Poweradmin host header injection works
Poweradmin builds login callback URLs from the HTTP Host header. It trusts that header without validation. An attacker sends a request with a spoofed Host value. The app then passes a poisoned redirect_uri to the identity provider. As a result, the victim’s authorization code lands on an attacker-controlled server. Three flows are affected: OIDC, SAML, and logout. The attack needs no password. However, the victim must start a login for it to work.
Affected versions
The flaw hits Poweradmin versions below 4.2.4. It also affects the 4.3.x branch before 4.3.3. The project fixed both lines in releases 4.2.4 and 4.3.3.
Exploitation status
No public proof-of-concept exists yet. Researchers report no in-the-wild abuse so far. A security researcher disclosed the issue privately through GitHub.
Patch and mitigation
Update now to Poweradmin 4.2.4 or 4.3.3. You can grab the 4.2.4 release directly from GitHub. As a quick stopgap, set interface.base_url in config/settings.php. That setting forces a trusted base URL instead of the Host header.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.