CVE-2026-1089: User‑Controlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups
Published Apr 21, 2026
·Updated
User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure.
Affected Software
2 affected components
Fortra GoAnywhere MFT<7.10.0
Fortra Goanywhere Managed File Transfer<7.10.0
Remediation
Information
Upgrade to a remediated version (version 7.10.0 or later).
Event History
Apr 21, 2026
CVE Published
via MITRE·02:14 PM
Data Sourced
via MITRE·02:14 PM
RemedyDescriptionSeverityWeakness
Data Sourced
via NVD·03:16 PM
DescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-1089?
CVE-2026-1089 is considered a moderate severity vulnerability that allows for user-controlled DNS lookups.
2
How do I fix CVE-2026-1089?
To mitigate CVE-2026-1089, upgrade Fortra's GoAnywhere MFT to version 7.10.0 or later.
3
What are the main risks associated with CVE-2026-1089?
The main risks of CVE-2026-1089 include potential DNS rebinding attacks and unauthorized information disclosure.
4
Which versions of Fortra GoAnywhere MFT are affected by CVE-2026-1089?
CVE-2026-1089 affects Fortra GoAnywhere MFT versions prior to 7.10.0.
5
Who is impacted by CVE-2026-1089?
Organizations using affected versions of Fortra's GoAnywhere MFT are impacted by CVE-2026-1089.