CVE-2026-25523
Magento's X-Original-Url header can expose admin url
Description
### Impact The admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. ### Patches The bug comes from the Zend library and is patche by unsetting the header in the bootstrap process. ### Workarounds Unset the `X-Original-Url` header in the web server configuration. ### References The activation of these headers is coming from the Zend_Controller module. It appears this has been known to some degree since 2016 - https://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..) ### Credit Anees Hyder ( @anees0xdev ) via HackerOne https://hackerone.com/anees0x_dev/hacktivity
How to fix CVE-2026-25523
To remediate CVE-2026-25523, upgrade the affected package to a fixed version below.
- —upgrade to 20.16.1 or later
Is CVE-2026-25523 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 20.16.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |