Cyber Resilience

CVE-2026-28681

High

Published: 06 March 2026

Published
06 March 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0043 34.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-28681 is a high-severity Open Redirect (CWE-601) vulnerability in Internet Routing Registry Daemon Project Internet Routing Registry Daemon. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-28681 is a vulnerability in the Internet Routing Registry daemon (IRRd) version 4, an IRR database server that processes objects in RPSL format. It affects versions from 4.4.0 up to but not including 4.4.5, and from 4.5.0 up to but not including 4.5.1. The issue stems from improper handling of the HTTP Host header in password reset and account creation requests, enabling attackers to craft confirmation links in emails that redirect to attacker-controlled domains. This flaw is classified under CWE-601 (URL Redirection to Untrusted Site) and CWE-640 (Weak Password Recovery Mechanism for Passwords), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

An unauthenticated attacker (PR:N) can exploit this by submitting a manipulated HTTP request with a falsified Host header during password reset or account creation flows. When the targeted user opens the confirmation link in the resulting email, the valid token is leaked to the attacker's domain. The attacker can then replay this token against the legitimate IRRd instance to complete the reset or creation process and take over the account. With a compromised account, the attacker can modify RPSL objects maintained by the account's mntners and perform other account actions. However, if the account has two-factor authentication enabled—which is required for users with override access—the attacker cannot log in post-reset.

The vulnerability has been patched in IRRd versions 4.4.5 and 4.5.1, as detailed in the project's GitHub security advisory (GHSA-22m3-c7vp-49fj) and corresponding release notes. Mitigation commits are available at specific GitHub references, addressing the Host header validation to prevent redirection to untrusted domains. Security practitioners should upgrade affected IRRd instances immediately and review email confirmation flows for similar issues.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host…

more

header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Vuln in public IRRd service enables account takeover/creation via poisoned password reset flow (T1190); directly results in attacker obtaining or creating valid local accounts for RPSL manipulation (T1078, T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-11350Shared CWE-640
CVE-2026-33707Shared CWE-640
CVE-2026-2564Shared CWE-640
CVE-2025-25198Shared CWE-601
CVE-2026-30459Shared CWE-640
CVE-2026-28268Shared CWE-640
CVE-2026-7459Shared CWE-640
CVE-2025-13565Shared CWE-640
CVE-2026-32865Shared CWE-640
CVE-2026-27593Shared CWE-640

Affected Assets

internet routing registry daemon project
internet routing registry daemon
4.4.0 — 4.4.5 · 4.5.0 — 4.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted inputs like the manipulated HTTP Host header to prevent generation of confirmation links pointing to attacker-controlled domains.

prevent

Mandates timely flaw remediation, including patching IRRd to versions 4.4.5 or 4.5.1 that fix the Host header vulnerability.

prevent

Enforces secure management and protection of authenticators such as password reset tokens to mitigate risks from token leakage and unauthorized account actions.

References