CVE-2024-26470 is a host header injection vulnerability identified in the forgot password functionality of FullStackHero's WebAPI Boilerplate versions 1.0.0 and 1.0.1. Host header injection occurs when an application uses the HTTP Host header in an unsafe manner, trusting it to generate URLs or tokens without proper validation. In this case, the vulnerability allows an attacker to craft a request with a manipulated Host header, causing the application to generate password reset tokens that are leaked to an attacker-controlled domain or endpoint. This leakage can enable attackers to hijack user accounts by resetting passwords without authorization. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 8.1, reflecting high severity due to network attack vector, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no public exploits are known, the flaw presents a critical risk in environments where the affected boilerplate is deployed, especially in production systems handling sensitive user data. The absence of patches or official fixes at the time of publication necessitates immediate attention to mitigation strategies.

The primary impact of CVE-2024-26470 is the unauthorized disclosure of password reset tokens, which compromises user account confidentiality and integrity. Attackers exploiting this vulnerability can reset user passwords, leading to account takeover, data theft, and potential lateral movement within affected systems. This can result in significant reputational damage, regulatory penalties, and operational disruption for organizations. The vulnerability affects web applications built on FullStackHero's WebAPI Boilerplate, which may be used by startups, enterprises, and development teams globally. The ease of exploitation (no authentication or user interaction required) increases the risk of automated attacks and large-scale exploitation once an exploit becomes publicly available. The vulnerability also undermines trust in password reset mechanisms, a critical security control for user authentication management.

To mitigate CVE-2024-26470, organizations should immediately implement strict validation and sanitization of the Host header in HTTP requests, ensuring that only expected and trusted hostnames are accepted. Developers should avoid using the Host header directly to construct URLs or tokens without verification. Employing a whitelist of allowed hostnames or using server-side configuration to enforce canonical hostnames can prevent injection. Additionally, password reset tokens should never be exposed in URLs or headers that can be manipulated by clients; tokens should be securely generated, stored, and transmitted only over trusted channels. Monitoring and logging unusual password reset requests or host header anomalies can help detect exploitation attempts. Until an official patch is released, consider disabling or restricting the forgot password functionality or implementing multi-factor authentication to reduce risk. Regularly update dependencies and monitor vendor advisories for patches.