CVE-2026-28681

{"id": "CVE-2026-28681", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-03-06T05:16:37.710", "references": [{"url": "https://github.com/irrdnet/irrd/commit/8408e0f1b9f47eb2f2e712d6153e32194df05fbb", "source": "security-advisories@github.com"}, {"url": "https://github.com/irrdnet/irrd/commit/cf62df4a49d3891e80b2879d9b324d1af050000c", "source": "security-advisories@github.com"}, {"url": "https://github.com/irrdnet/irrd/security/advisories/GHSA-22m3-c7vp-49fj", "source": "security-advisories@github.com"}, {"url": "https://irrd.readthedocs.io/en/stable/releases/4.4.5", "source": "security-advisories@github.com"}, {"url": "https://irrd.readthedocs.io/en/stable/releases/4.5.1", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}, {"lang": "en", "value": "CWE-640"}]}], "descriptions": [{"lang": "en", "value": "Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1."}, {"lang": "es", "value": "Demonio de Internet Routing Registry versi\u00f3n 4 es un servidor de base de datos IRR, que procesa objetos IRR en formato RPSL. Desde la versi\u00f3n 4.4.0 hasta antes de la versi\u00f3n 4.4.5 y desde la versi\u00f3n 4.5.0 hasta antes de la versi\u00f3n 4.5.1, un atacante puede manipular el encabezado HTTP Host en una solicitud de restablecimiento de contrase\u00f1a o creaci\u00f3n de cuenta. El enlace de confirmaci\u00f3n en el correo electr\u00f3nico resultante puede entonces apuntar a un dominio controlado por el atacante. Abrir el enlace en el correo electr\u00f3nico es suficiente para pasar el token al atacante, quien puede entonces usarlo en la instancia real de IRRD para tomar control de la cuenta. Una cuenta comprometida puede entonces ser utilizada para modificar objetos RPSL mantenidos por los mntners de la cuenta y realizar otras acciones de la cuenta. Si el usuario ten\u00eda la autenticaci\u00f3n de dos factores configurada, lo cual es requerido para usuarios con acceso de anulaci\u00f3n, un atacante no puede iniciar sesi\u00f3n, incluso despu\u00e9s de restablecer la contrase\u00f1a con \u00e9xito. Este problema ha sido parcheado en las versiones 4.4.5 y 4.5.1."}], "lastModified": "2026-03-09T13:36:08.413", "sourceIdentifier": "security-advisories@github.com"}