SB20260423145 - Multiple vulnerabilities in AzuraCast
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to inject arbitrary now-playing metadata, disrupt live broadcast tracking, disclose absolute filesystem paths, and fake DJ connections.
The vulnerability exists due to missing authorization in the /api/internal/{station_id}/liquidsoap/{action} endpoint when handling requests from the public web interface. A remote user can send crafted requests with a session or API key and, in some cases, an arbitrary X-Liquidsoap-Api-Key header to inject arbitrary now-playing metadata, disrupt live broadcast tracking, disclose absolute filesystem paths, and fake DJ connections.
Exploitation requires StationPermissions::View on the target station.
2) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2026-42606)
CWE-ID: CWE-640 - Weak password recovery mechanism
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to take over user accounts and bypass two-factor authentication.
The vulnerability exists due to a weak password recovery mechanism in the ApplyXForwarded middleware and password reset flow when handling a forgot-password request with a client-supplied X-Forwarded-Host header. A remote attacker can send a specially crafted password reset request to take over user accounts and bypass two-factor authentication.
User interaction is required because the victim must click the poisoned password reset link.
3) Path traversal (CVE-ID: CVE-2026-42605)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to path traversal in the Flow.js media upload endpoint currentDirectory parameter when handling media upload requests. A remote user can upload a specially crafted file with traversal sequences in the currentDirectory parameter to execute arbitrary code.
Only instances using the local filesystem storage backend are vulnerable, and media management permissions are required.
Remediation
Install update from vendor's website.