External risk intelligence

Poweradmin Authentication Bypass Via HTTP Host Header Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-54588

Poweradmin is a web-based management interface for DNS administration. Such tools are commonly deployed as web applications intended to be accessible to administrators, often via network-exposed interfaces, making the application's authentication and callback endpoints plausible targets for internet-based interaction.

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Poweradmin, a DNS administration tool. The issue allows unauthenticated attackers to potentially take over user accounts by manipulating authentication redirects. The main concern is confirming relevance and exposure for this type of system.

  • Account takeover via manipulated redirects.
  • Affects authentication; confirms user access integrity.
  • Verify if Poweradmin is used; assess potential exposure.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request to Poweradmin's authentication system. By manipulating the `HTTP_HOST` header, the attacker can trick the system into sending a security code to an attacker-controlled server. This redirect allows the attacker to intercept the code and gain full account control without needing any legitimate credentials.

  • No authentication required to initiate.
  • Redirects to attacker-controlled server.
  • Full account takeover risk.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to take over a user's account by manipulating how the authentication system redirects users after they log in. When a user attempts to authenticate through the affected system, the attacker can trick the identity provider into sending the user's authorization code to a server controlled by the attacker, bypassing the need for any credentials.

  • User accounts and associated service access.
  • Attacker poisons redirect URIs to identity provider.
  • Full account takeover without credentials.

Operational Fix

Recommended remediation, mitigation, and detection steps

Application owners and infrastructure teams are likely responsible for Poweradmin, a web-based DNS administration tool. The immediate priority is to identify all instances of Poweradmin, confirm their exposure and business criticality, and then engage the accountable owner to plan remediation.

  • Identify and confirm Poweradmin instances.
  • Verify network exposure and business impact.
  • Plan and coordinate remediation efforts.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Poweradmin?

Poweradmin is a web-based management interface designed to simplify the administration of PowerDNS servers. It provides a graphical dashboard for DNS administrators to manage zones and records, acting as a bridge between users and the underlying DNS infrastructure. Because it handles sensitive authentication flows for these administrative tasks, it is a critical component in many networking environments.

What does CVE-2026-54588 mean for security?

This vulnerability involves Improper Input Validation (CWE-20) and an Open Redirect (CWE-601). In plain terms, the application blindly trusts the HTTP Host header provided by a user to construct callback URLs. An attacker can manipulate this header to hijack the authentication process, forcing the system to send sensitive authorization codes to a server they control instead of the legitimate destination.

How does an attacker trigger this vulnerability?

An attacker triggers the flaw by sending a crafted request to the application during an OIDC, SAML, or logout authentication flow. By modifying the HTTP Host header, they poison the redirect path. It is important to note that this does not require any prior authentication or credentials; however, it specifically relies on the interaction with external identity providers to intercept the authorization code.

Is my instance of Poweradmin at risk?

According to Halo Surface Signal, Poweradmin is often deployed as a web-accessible management tool. If your installation is internet-facing or reachable by untrusted network segments, it is a plausible target for this remote interaction. You should care if your deployment uses OIDC or SAML authentication, as these are the specific pathways affected by the header poisoning flaw.

How do I secure my Poweradmin installation?

The most effective step is to update your software to version 4.2.4 or 4.3.3, which contains the necessary validation logic to prevent header-based redirection attacks. While planning the update, assess the network perimeter of your Poweradmin instances to ensure they are restricted to trusted administrative subnets, reducing the likelihood of unauthorized external interaction.

References