GHSA-jg68-vhv3-9r8f (CVE-2026-25523)

Details

Impact

The admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations.

Patches

The bug comes from the Zend library and is patche by unsetting the header in the bootstrap process.

Workarounds

Unset the X-Original-Url header in the web server configuration.

References

The activation of these headers is coming from the Zend_Controller module. It appears this has been known to some degree since 2016 - https://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)

Credit

Anees Hyder ( @anees0xdev ) via HackerOne https://hackerone.com/anees0x_dev/hacktivity

Affected Packages

openmage/magento-lts

Packagist

Fixed in:

20.16.1

References

PACKAGE

https://github.com/OpenMage/magento-lts

WEB

https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f

ADVISORY

https://github.com/advisories/GHSA-jg68-vhv3-9r8f

WEB

https://hackerone.com/bugs?subject=openmage&report_id=3416312

ADVISORY

https://nvd.nist.gov/vuln/detail/CVE-2026-25523