CVE-2026-28681
Published: 06 March 2026
Summary
CVE-2026-28681 is a high-severity Open Redirect (CWE-601) vulnerability in Internet Routing Registry Daemon Project Internet Routing Registry Daemon. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-28681 is a vulnerability in the Internet Routing Registry daemon (IRRd) version 4, an IRR database server that processes objects in RPSL format. It affects versions from 4.4.0 up to but not including 4.4.5, and from 4.5.0 up to but not including 4.5.1. The issue stems from improper handling of the HTTP Host header in password reset and account creation requests, enabling attackers to craft confirmation links in emails that redirect to attacker-controlled domains. This flaw is classified under CWE-601 (URL Redirection to Untrusted Site) and CWE-640 (Weak Password Recovery Mechanism for Passwords), with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
An unauthenticated attacker (PR:N) can exploit this by submitting a manipulated HTTP request with a falsified Host header during password reset or account creation flows. When the targeted user opens the confirmation link in the resulting email, the valid token is leaked to the attacker's domain. The attacker can then replay this token against the legitimate IRRd instance to complete the reset or creation process and take over the account. With a compromised account, the attacker can modify RPSL objects maintained by the account's mntners and perform other account actions. However, if the account has two-factor authentication enabled—which is required for users with override access—the attacker cannot log in post-reset.
The vulnerability has been patched in IRRd versions 4.4.5 and 4.5.1, as detailed in the project's GitHub security advisory (GHSA-22m3-c7vp-49fj) and corresponding release notes. Mitigation commits are available at specific GitHub references, addressing the Host header validation to prevent redirection to untrusted domains. Security practitioners should upgrade affected IRRd instances immediately and review email confirmation flows for similar issues.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9991
Vulnerability details
Internet Routing Registry daemon version 4 is an IRR database server, processing IRR objects in the RPSL format. From version 4.4.0 to before version 4.4.5 and from version 4.5.0 to before version 4.5.1, an attacker can manipulate the HTTP Host…
more
header on a password reset or account creation request. The confirmation link in the resulting email can then point to an attacker-controlled domain. Opening the link in the email is sufficient to pass the token to the attacker, who can then use it on the real IRRD instance to take over the account. A compromised account can then be used to modify RPSL objects maintained by the account's mntners and perform other account actions. If the user had two-factor authentication configured, which is required for users with override access, an attacker is not able to log in, even after successfully resetting the password. This issue has been patched in versions 4.4.5 and 4.5.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public IRRd service enables account takeover/creation via poisoned password reset flow (T1190); directly results in attacker obtaining or creating valid local accounts for RPSL manipulation (T1078, T1136.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted inputs like the manipulated HTTP Host header to prevent generation of confirmation links pointing to attacker-controlled domains.
Mandates timely flaw remediation, including patching IRRd to versions 4.4.5 or 4.5.1 that fix the Host header vulnerability.
Enforces secure management and protection of authenticators such as password reset tokens to mitigate risks from token leakage and unauthorized account actions.