CVE-2024-54840
Description
Host header injection in CyberArk PVWA before 14.4 allows unauthenticated open redirect via manipulated Host header.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Host header injection in CyberArk PVWA before 14.4 allows unauthenticated open redirect via manipulated Host header.
Vulnerability
A vulnerability in CyberArk Privileged Access Manager Self-Hosted (PVWA) allows an open redirect by trusting the Host header to construct the redirection URL. The issue affects versions before 14.4 and stems from environment-related misconfigurations that contribute to Host header injection [1][2].
Exploitation
An unauthenticated, remote attacker can manipulate the Host header in an HTTP request to PVWA. For example, sending GET /PasswordVault/auth? HTTP/1.1 with a malicious Host header causes the server to redirect the user to the attacker-controlled domain [2]. No authentication or special privileges are required.
Impact
Successful exploitation results in an open redirect, allowing an attacker to redirect users to arbitrary domains. This can be leveraged for phishing attacks or credential theft, as users may be tricked into visiting a malicious site that mimics the legitimate PVWA interface [2].
Mitigation
The vulnerability is fixed in CyberArk Privileged Access Manager Self-Hosted version 14.4 [1]. Organizations should upgrade to this version or later. No workarounds are documented in the available references.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <14.4
- Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application trusts the Host header to construct redirection URLs, leading to Host header injection."
Attack vector
An unauthenticated, remote attacker can send a crafted HTTP GET request to the PVWA endpoint. By manipulating the `Host` header with an arbitrary domain, the attacker can cause the server to redirect the user to a malicious site. This redirection occurs because the application uses the `Host` header value directly in the `Location` header of the HTTP response, without proper validation. The advisory provides examples of redirecting to a controlled subdomain or even external domains like google.com [ref_id=1].
Affected code
The vulnerability lies in how the PVWA (Password Vault Web Access) handles the `Host` header for redirection. Specifically, the application trusts this header to construct the `Location` header in its HTTP responses, enabling Host header injection. The advisory indicates that versions prior to 14.4 are affected due to insufficient handling of environment issues contributing to this vulnerability [ref_id=1].
What the fix does
The advisory states that versions before 14.4 do not properly address environment issues that can contribute to Host header injection. While a specific patch is not detailed, the recommended mitigation involves validating the `Host` header on the server-side to ensure redirections only point to legitimate, configured domains. Disabling Host-based redirections or using a whitelist of allowed domains are also suggested [ref_id=1].
Preconditions
- authThe attacker does not require any authentication.
- networkThe attacker must have network access to the PVWA endpoint.
- inputThe attacker must be able to send an HTTP request with a manipulated Host header.
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.