CVE-2026-25523
MEDIUM5.3EPSS 0.01%Magento's X-Original-Url header can expose admin url
Published: 2/2/2026Modified: 2/10/2026
Also known as:GHSA-jg68-vhv3-9r8f
Description
### Impact The admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations. ### Patches The bug comes from the Zend library and is patche by unsetting the header in the bootstrap process. ### Workarounds Unset the `X-Original-Url` header in the web server configuration. ### References The activation of these headers is coming from the Zend_Controller module. It appears this has been known to some degree since 2016 - https://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..) ### Credit Anees Hyder ( @anees0xdev ) via HackerOne https://hackerone.com/anees0x_dev/hacktivity
Affected packages (1)
- Packagist/openmage/magento-ltsfrom 0, < 20.16.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.3 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |