Unrated severityNVD Advisory· Published Jun 23, 2026

Poweradmin has Host Header Injection in OIDC redirect_uri, SAML ACS/SLO URL, and Logout Redirect Construction.

CVE-2026-54588

Description

Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 use the attacker-controlled HTTP_HOST request header as the authoritative source for building callback URLs in its OIDC, SAML, and logout authentication flows without any validation. An unauthenticated attacker can poison the redirect_uri sent to the Identity Provider, causing the IdP to redirect the victim's authorization code to an attacker-controlled server - resulting in full account takeover with no credentials required. Versions 4.2.4 and 4.3.3 patch the issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Poweradmin/Poweradminllm-fuzzy
Range: <4.2.4, <4.3.3

Patches

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/poweradmin/poweradmin/releases/tag/v4.2.4mitrex_refsource_MISC
github.com/poweradmin/poweradmin/releases/tag/v4.3.3mitrex_refsource_MISC
github.com/poweradmin/poweradmin/security/advisories/GHSA-3735-5339-xfwxmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000