CVE-2026-42606: AzuraCast Radio Suite Exposed by Trusted Header Flaw in Pre-0.23.6 Versions

A high-severity vulnerability tracked as CVE-2026-42606 has been disclosed in AzuraCast, a widely used self-hosted web radio management suite. Rated 8.1 on the CVSS scale, the flaw stems from the ApplyXForwarded middleware, which unconditionally trusts the client-supplied X-Forwarded-Host HTTP header without validating it against a trusted proxy allowlist. This design weakness opens the door to unauthenticated exploitation, allowing attackers to manipulate how the application interprets incoming requests—potentially redirecting traffic, bypassing access controls, or poisoning backend configurations.

The vulnerability affects all AzuraCast installations running versions prior to 0.23.6. The core issue lies in the absence of proxy validation logic: when the middleware processes the X-Forwarded-Host header, it accepts the supplied value at face value, treating it as trustworthy metadata. In deployment architectures where AzuraCast sits behind reverse proxies or load balancers—a common configuration for production environments—this flaw becomes particularly dangerous. An attacker crafting malicious HTTP requests could leverage the header to alter host resolution, manipulate generated URLs, or interfere with authentication flows that depend on accurate host information.

The maintainers have addressed the issue in version 0.23.6, which introduces proper trusted proxy validation. Administrators running self-hosted radio infrastructure on AzuraCast should treat this as a priority patch: the combination of unauthenticated access, high CVSS score, and the prevalence of proxy-based deployments creates a meaningful attack surface. While no active exploitation has been reported in the source disclosure, the vulnerability's characteristics make it attractive for reconnaissance and targeted attacks against exposed media infrastructure. Organizations should verify their version status immediately and apply the update, particularly if AzuraCast instances are internet-facing or integrated into broader network architectures.