CVE-2026-28681 in irrd
Summary
by MITRE • 03/06/2026
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 03/06/2026
The Internet Routing Registry daemon version 4 represents a critical infrastructure component that serves as an IRR database server processing RPSL format objects essential for Internet routing information management. This vulnerability affects specifically versions 4.4.0 through 4.4.4 and 4.5.0 through 4.5.0, creating a significant security risk within routing infrastructure systems. The flaw manifests through improper validation of HTTP Host headers during password reset and account creation workflows, exploiting a fundamental weakness in the application's request handling mechanisms. This vulnerability directly impacts the integrity of user authentication processes and potentially compromises the entire routing database management system.
The technical implementation of this vulnerability stems from insufficient input validation and header manipulation capabilities within the HTTP request processing pipeline. When users initiate password reset or account creation requests, the application fails to properly validate the Host header value, allowing attackers to inject malicious domains into the confirmation email links. This creates a sophisticated attack vector where the attacker-controlled domain receives the authentication token through the email confirmation process. The vulnerability aligns with CWE-284 Access Control Issues and represents a classic case of insecure direct object reference manipulation. The flaw operates at the application layer and demonstrates poor security practices in header validation and token handling mechanisms.
The operational impact of this vulnerability extends far beyond simple account compromise, potentially affecting the entire routing infrastructure managed by the IRRD system. An attacker who successfully exploits this vulnerability can gain unauthorized access to modify RPSL objects maintained by the compromised account's mntners, fundamentally compromising the integrity of routing information. This capability allows for potential route hijacking, prefix manipulation, and disruption of Internet routing services across affected networks. The compromise can escalate to unauthorized modifications of critical routing policies and object definitions, affecting network connectivity and security across multiple domains. The vulnerability particularly threatens networks that rely heavily on automated routing updates and database synchronization processes.
While the vulnerability presents significant risks, certain security controls provide partial protection against complete compromise. Users with two-factor authentication configured, especially those with override access privileges, remain protected from login exploitation despite successful password reset attempts. This defense-in-depth mechanism prevents full account takeover when MFA is properly implemented. However, the vulnerability still represents a serious threat to organizations that may not have comprehensive MFA deployment across all user accounts. The patch implemented in versions 4.4.5 and 4.5.1 addresses the core issue through proper header validation and confirmation link generation mechanisms. Organizations should prioritize immediate patch deployment and implement additional monitoring for suspicious authentication activities and email link patterns to detect potential exploitation attempts.
This vulnerability demonstrates the critical importance of proper input validation and secure header handling in web applications, particularly those managing critical infrastructure data. The attack scenario follows typical patterns identified in the MITRE ATT&CK framework under initial access and credential access techniques, specifically targeting authentication mechanisms to establish persistent access. Organizations managing IRRD systems should conduct comprehensive security assessments of their routing infrastructure and implement network segmentation to limit potential impact of such vulnerabilities. The incident highlights the need for robust security practices in infrastructure management systems and emphasizes the importance of timely patch management for critical routing components.