The vulnerability CVE-2026-28681 affects the Internet Routing Registry daemon (irrd), a server software that manages IRR databases containing routing policy objects in RPSL format. Specifically, versions 4.4.0 up to but not including 4.4.5, and 4.5.0 up to but not including 4.5.1, are vulnerable to an open redirect attack (CWE-601). The flaw arises from improper validation of the HTTP Host header during sensitive operations such as password reset and account creation. An attacker can craft a request with a manipulated Host header so that the confirmation email sent to the user contains a link pointing to an attacker-controlled domain. When the user clicks this link, the token embedded in the URL is exposed to the attacker. This token can then be used to reset the password and gain unauthorized access to the victim's account on the legitimate IRRD instance. Once compromised, the attacker can modify RPSL objects maintained by the account's maintainers (mntners), potentially altering routing policies or injecting malicious routing information. However, if the compromised account has two-factor authentication enabled, which is mandatory for users with override privileges, the attacker cannot complete the login despite having reset the password. The vulnerability does not affect availability but has a high impact on confidentiality and integrity. The issue has been addressed in irrd versions 4.4.5 and 4.5.1. There are no known exploits in the wild as of the publication date.

This vulnerability poses a significant risk to organizations relying on irrd for managing Internet Routing Registry data. Successful exploitation leads to account takeover, allowing attackers to modify routing policy objects, which could disrupt network routing, cause traffic misdirection, or enable further attacks such as BGP hijacking. The integrity of routing data is critical for Internet infrastructure stability; thus, compromised accounts could have cascading effects on network operators and their customers. While 2FA mitigates risk for high-privilege users, accounts without 2FA remain vulnerable. The attack requires user interaction (clicking the malicious link), but no prior authentication or complex exploitation is needed, increasing the likelihood of successful phishing campaigns. The vulnerability does not impact system availability directly but threatens confidentiality and integrity of routing data, which are vital for secure network operations.

Organizations should immediately upgrade irrd to versions 4.4.5 or 4.5.1 to apply the official patches addressing this vulnerability. Until patched, administrators should enforce two-factor authentication for all accounts, especially those with override access, to reduce the risk of account takeover. Additionally, monitoring email templates and confirmation link generation logic for proper validation of the Host header can help detect or prevent manipulation. Implementing strict validation or whitelisting of Host headers on the server side will mitigate open redirect risks. User education on phishing risks related to password reset emails is essential to reduce the chance of token leakage. Logging and alerting on unusual password reset or account creation requests with suspicious Host headers can aid in early detection. Network operators should audit RPSL object changes for unauthorized modifications and maintain backups of routing data for recovery. Finally, consider isolating IRRD instances behind web application firewalls (WAFs) that can detect and block open redirect attempts.