Password reset poisoning (also called Host header poisoning in reset flows) is one of those “old but gold” vulnerabilities that refuses to die. In 2026 it’s still one of the highest-payout web bugs on major bug-bounty platforms, easily $10k–$30k+ on private programs when it affects high-value targets (crypto exchanges, SaaS platforms, fintech, healthcare portals, enterprise login systems).
The attack takes literally 3 clicks from an attacker and can let them hijack any user’s account without ever knowing their password or 2FA code.
The steps of the attack that occur in 2026 are as follows:
1. The Victim requests a password reset via https://app.target.com/reset-password and enters in their email.
2. The Attacker intercepts and poisons the Host header. Then the Attacker sends the request themselves (using an application such as Burp or curl) but alters the Host header to be their own domain.
Example:
POST /reset-password HTTP/1.1
Host: evil.com
Content-Type: application/x-www-form-urlencoded
email=victim@target.com
The application will generate a reset token/link and sends an email to the email address provided. This email will have "Domain: evil.com" as its Host header; therefore, it will be delivered to the email address indicated.
Example:
Click to reset: https://evil.com/reset?token=abc123...
3. The Victim will then get the email and click on the link, which appears to be legitimate; it uses the same brands and tokens as the previous email. The password reset request is sent to evil.com, the Attacker's server, where the Attacker can then capture the reset token.
4. The attacker uses the reset-token captured in the previous step to reset the victim’s password by visiting https://evil.com/reset?token=abc123... (or by internally redirecting the victim to that target) and sets a new password, thus owning the victim’s account.
The attacker has only had to send 3 HTTP requests to successfully complete the attack. The end result is that the attacker now has FULL CONTROL over the victim's account and did NOT have to bypass MFA, nor create a phishing page to do so.
Why It Still Pays $20k+ in 2026
1. Business Impact: The effect of an oauth is to impair a company's ability to conduct business. Failing to resolve the inherent flaw in their OAuth implementation, that they did not validate the host, could lead to catastrophic financial losses of the company (crypto / fintech), and when exploited can cause customers to lose access to their customer data and cause the recurring cash flow and compliance exposure associated with unauthorized access to billing/administration functions (SaaS businesses), and expose PII for the healthcare and enterprise sector.
2. Twenty Five Percent of Usage Records Should Not Be Considered Legitimate: An attacker will create an email that appears identical to a legitimate domain and relies solely on the victim to determine if they are an imposter.
3. General Popularity: Many SaaS, ECommerce, and Regional Banking
The Following are Steps to Follow as a Bug Hunter to Find Out for Yourself
1. Initiate password reset process on the target site.
2. Intercept the POST request (using Burp or Burp Community).
3. Change the Host header to your domain (or using a Collaborator or Interactsh).
4. Submit the form and wait for the reset email.
5. Check if the URL in the email uses your domain, if so report it immediately.
How to Fix It through Practical Hardening
Do not trust Host or X-Forwarded-Host when building the link to reset a user’s password. The reset domain should be hard coded as follows:
//Good
$resetUrl = "https://app.target.com/reset?token=" . $token;
//Bad
$resetUrl = "https://" . $_SERVER['HTTP_HOST'] . "/reset?token=" . $token;
Hard-code a canonical domain in an .env or .conf file and use it as follows:
.env file
APP_URL=https://app.target.com
Validate the Host header against an allowed list for sensitive endpoints, as shown below:
if ($_SERVER['HTTP_HOST'] !== 'app.target.com') {
http_response_code(400);
exit('Invalid host');
}
WAF/CDN rule: do not allow or log (depending on the security requirements) a request to a reset URL if the Host header is not an allowed value.
If the system assumes that the Host field will be correct and there is one mistake in the logic (by assuming this is the norm) users can potentially take over their accounts in 2 seconds. Currently there are five-figure bounty payouts for bugs similar to this in value. As you are either developing or pentesting there password reset flow now verify that you are generating the reset URL correctly!
