SB20260423145 - Multiple vulnerabilities in AzuraCast



SB20260423145 - Multiple vulnerabilities in AzuraCast

Published: April 23, 2026

Security Bulletin ID SB20260423145
CSH Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 33% Medium 33% Low 33%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Missing Authorization (CVE-ID: N/A)

CWE-ID: CWE-862 - Missing Authorization

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to inject arbitrary now-playing metadata, disrupt live broadcast tracking, disclose absolute filesystem paths, and fake DJ connections.

The vulnerability exists due to missing authorization in the /api/internal/{station_id}/liquidsoap/{action} endpoint when handling requests from the public web interface. A remote user can send crafted requests with a session or API key and, in some cases, an arbitrary X-Liquidsoap-Api-Key header to inject arbitrary now-playing metadata, disrupt live broadcast tracking, disclose absolute filesystem paths, and fake DJ connections.

Exploitation requires StationPermissions::View on the target station.


2) Weak Password Recovery Mechanism for Forgotten Password (CVE-ID: CVE-2026-42606)

CWE-ID: CWE-640 - Weak password recovery mechanism

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to take over user accounts and bypass two-factor authentication.

The vulnerability exists due to a weak password recovery mechanism in the ApplyXForwarded middleware and password reset flow when handling a forgot-password request with a client-supplied X-Forwarded-Host header. A remote attacker can send a specially crafted password reset request to take over user accounts and bypass two-factor authentication.

User interaction is required because the victim must click the poisoned password reset link.


3) Path traversal (CVE-ID: CVE-2026-42605)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to path traversal in the Flow.js media upload endpoint currentDirectory parameter when handling media upload requests. A remote user can upload a specially crafted file with traversal sequences in the currentDirectory parameter to execute arbitrary code.

Only instances using the local filesystem storage backend are vulnerable, and media management permissions are required.


Remediation

Install update from vendor's website.