GrepRules
Sign inPublish rule
Explore/cve-2026-35507-insecure-app-json-allowed-hosts

CVE-2026-35507: Insecure App Json Allowed Hosts

The default `app.json` configuration sets `ALLOWED_HOSTS` to a wildcard. This permissive wildcard allows any subdomain to be accepted as a valid Host header, failing to properly restrict incoming requests to the application's actual domain. This can lead to vulnerabilities such as password reset poisoning via Host header injection. Require an explicit ALLOWE

Provally CuratedPublic repositoryMediumMedium confidenceVerifiedApache-2.0json
greprules fetch cve-2026-35507-insecure-app-json-allowed-hosts --engine opengrep

Description

The default `app.json` configuration sets `ALLOWED_HOSTS` to a wildcard. This permissive wildcard allows any subdomain to be accepted as a valid Host header, failing to properly restrict incoming requests to the application's actual domain. This can lead to vulnerabilities such as password reset poisoning via Host header injection. Require an explicit ALLOWE

License
Apache-2.0
Source context
Public repository
Source
Provally CVE rule catalog
Validation status
Verified
Quality signals
145 downloads0 direct145 via packs
· 0 stars · Quality score 68How quality works
Included packs
2 packs