AzuraCast Patches Two High-Severity Flaws: RCE and Account Takeover

AzuraCast, the open-source web radio automation platform, patched two high-severity vulnerabilities this week that could allow attackers to execute code on servers or take over user accounts without authentication. Both flaws were disclosed on May 9 and affect all versions prior to 0.23.6.

Organizations running self-hosted AzuraCast instances should update immediately. The combination of these vulnerabilities creates a path from unauthenticated access to full server compromise.

CVE-2026-42605: Path Traversal to RCE

The first vulnerability (CVE-2026-42605, CVSS 8.8) exists in AzuraCast's Flow.js media upload endpoint. The currentDirectory request parameter lacks proper sanitization, allowing authenticated users with media management permissions to write files outside intended directories.

An attacker can upload a PHP webshell to the web root using path traversal sequences like ../. Once the webshell is in place, executing arbitrary commands requires only a GET request. The authentication requirement limits initial exploitation to users who already have some level of access, but media management is a common permission in radio station deployments.

This pattern—file upload combined with path traversal leading to code execution—appears regularly in web application security. We covered a similar auth bypass leading to RCE in cPanel last month, though that vulnerability didn't require authentication at all.

CVE-2026-42606: Password Reset Poisoning

The second vulnerability (CVE-2026-42606, CVSS 8.1) affects the password reset flow. AzuraCast's ApplyXForwarded middleware unconditionally trusts the X-Forwarded-Host HTTP header without validating it against expected values.

When an attacker triggers a password reset for any user and injects a malicious X-Forwarded-Host header, the reset link sent to the victim contains the attacker's domain instead of the legitimate AzuraCast URL. If the victim clicks the poisoned link, their reset token is sent to the attacker's server.

The attack chain works like this:

1. Attacker requests password reset for victim's email
2. Attacker includes X-Forwarded-Host: attacker.com in the request
3. Victim receives email with reset link pointing to attacker.com
4. Victim clicks link, sending token to attacker
5. Attacker uses token on real AzuraCast instance to reset password
6. Password reset also destroys 2FA configuration, bypassing additional authentication

This vulnerability requires no authentication and can target any user account, including administrators.

Chaining for Full Compromise

An attacker could combine these vulnerabilities for maximum impact:

1. Use CVE-2026-42606 to take over an administrator or media manager account
2. Use CVE-2026-42605 to upload a webshell with the compromised credentials
3. Execute arbitrary commands on the server

The result is unauthenticated remote code execution—starting from nothing, ending with shell access.

Who's Affected

AzuraCast is popular among community radio stations, podcasters, and hobbyist broadcasters who want to run their own streaming infrastructure. The software's self-hosted nature means there's no automatic update mechanism; administrators must manually upgrade their installations.

Shodan queries for AzuraCast instances show deployments across educational institutions, small businesses, and individual operators. The typical AzuraCast user may not have dedicated security resources, making timely patching less likely.

Remediation

Upgrade to AzuraCast version 0.23.6 or later. The official Docker image has been updated with the fix.

If immediate upgrade isn't possible:

1. Restrict network access - Place AzuraCast behind a VPN or firewall that limits who can reach the admin interface
2. Remove X-Forwarded-Host at the proxy - If you're running AzuraCast behind nginx or Apache, strip this header before it reaches the application
3. Audit media manager permissions - Limit which accounts have upload capabilities

Organizations using reverse proxies should verify their configuration doesn't pass untrusted headers to backend applications. This class of vulnerability affects many applications that trust forwarded headers without validation.