CWE-601
AllowedURL Redirection to Untrusted Site ('Open Redirect')
Abstraction: Base · Status: Draft
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
2307 vulnerabilities reference this CWE, most recent first.
GHSA-R8HW-2VG3-PCPX
Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60. The vulnerability may result in the ability of malicious users to perform UI redress attacks.
{
"affected": [],
"aliases": [
"CVE-2020-9517"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-09T16:15:00Z",
"severity": "MODERATE"
},
"details": "There is an improper restriction of rendered UI layers or frames vulnerability in Micro Focus Service Manager Release Control versions 9.50 and 9.60. The vulnerability may result in the ability of malicious users to perform UI redress attacks.",
"id": "GHSA-r8hw-2vg3-pcpx",
"modified": "2022-05-24T17:10:31Z",
"published": "2022-05-24T17:10:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9517"
},
{
"type": "WEB",
"url": "https://softwaresupport.softwaregrp.com/doc/KM03604692"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-R95X-QFJJ-FJJ2
Vulnerability from github – Published: 2026-05-13 01:36 – Updated: 2026-06-08 23:53Summary
An unauthenticated open redirect in Authlib's OpenIDImplicitGrant and OpenIDHybridGrant authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the openid scope.
Details
Vulnerable code
OpenIDImplicitGrant.validate_authorization_request in authlib/oidc/core/grants/implicit.py:
def validate_authorization_request(self):
if not is_openid_scope(self.request.payload.scope):
raise InvalidScopeError(
"Missing 'openid' scope",
redirect_uri=self.request.payload.redirect_uri, # ← raw, unvalidated
redirect_fragment=True,
)
redirect_uri = super().validate_authorization_request()
...
OpenIDHybridGrant.validate_authorization_request in authlib/oidc/core/grants/hybrid.py shares the same pattern.
Root cause
Both methods perform the openid scope presence check before delegating to super().validate_authorization_request(), which is where AuthorizationEndpointMixin.validate_authorization_redirect_uri validates the requested redirect_uri against the client's check_redirect_uri(...). The InvalidScopeError thrown by the scope check therefore carries attacker-controlled self.request.payload.redirect_uri.
OAuth2Error.__call__ in authlib/oauth2/base.py renders any error with a non-empty redirect_uri as an HTTP 302:
def __call__(self, uri=None):
if self.redirect_uri:
params = self.get_body()
loc = add_params_to_uri(self.redirect_uri, params, self.redirect_fragment)
return 302, "", [("Location", loc)]
return super().__call__(uri=uri)
A malformed authorization request that selects OpenIDImplicitGrant or OpenIDHybridGrant and omits the openid scope is therefore redirected to a fully attacker-chosen URL.
This is a variant of the issue fixed in commit 3be08468 ("fix: redirecting to unvalidated redirect_uri on UnsupportedResponseTypeError") that was missed in the OIDC Implicit and Hybrid grants.
Preconditions
- The server registers
OpenIDImplicitGrantorOpenIDHybridGrant(standard OIDC Implicit or Hybrid flow support). - The attacker's request uses a
response_typethat matches either grant:id_token,id_token token,code id_token,code token, orcode id_token token. scopedoes not containopenid.- Any
redirect_urivalue.
No user authentication, no consent, no valid session, no CSRF token, and — notably — no valid client_id are required. The scope check runs before any client lookup, so any client_id value (including nonexistent ones) reaches the vulnerable code path.
PoC
The following unauthenticated GET is sufficient to induce the authorization server to redirect a victim's browser to an attacker-controlled URL:
GET /oauth/authorize
?response_type=id_token
&client_id=anything
&scope=profile
&redirect_uri=https%3A%2F%2Fevil.example.com%2Fphish
&state=s&nonce=n HTTP/1.1
Host: victim-op.example
Server response:
HTTP/1.1 302 Found
Location: https://evil.example.com/phish#error=invalid_scope&error_description=Missing+%27openid%27+scope&state=s
Impact
- Open redirect from a trusted authorization server origin. Victims receiving a phishing link see the legitimate OIDC provider's domain in the URL bar at the moment they click. The authorization server itself issues the 302 to the attacker's page, lending the attacker's landing page the OP's reputation and potentially satisfying domain-allow-list controls that trust the OP.
- Phishing / credential harvesting leverage. The attacker's page can mimic the legitimate OP's consent screen or a relying-party error page to solicit credentials, MFA codes, or to continue a downstream confused-deputy attack.
- RFC violation. RFC 6749 §4.1.2.1 and RFC 9700 (OAuth 2.0 Security BCP) §4.11 both state that an authorization server MUST NOT perform redirection to a
redirect_urithat has not been validated against the client's registered URIs, even in error responses. Thestateparameter is echoed back, giving the attacker site a stable correlator. - No direct token/code leak. This flaw fires before any authorization decision, so no authorization codes, ID tokens, or access tokens are disclosed. The impact is limited to open-redirect phishing leverage. Combined with other issues (e.g., downstream SSO trust chains) it may contribute to account-takeover chains; on its own it is a Medium-severity open redirect.
Affected deployments
Any application using Authlib as an OIDC provider that registers OpenIDImplicitGrant and/or OpenIDHybridGrant — i.e. anyone supporting the Implicit flow or the Hybrid flow (response_type=code id_token, etc.) — is affected. Clients of an Authlib-based OP are not directly affected; this is a server-side issue.
Authorization servers that only register the plain AuthorizationCodeGrant (code flow, with or without PKCE and the OpenIDCode extension) are not affected by this specific variant: the code-flow grant validates redirect_uri before raising scope errors. If you were affected by the sibling issue fixed in 3be08468 (UnsupportedResponseTypeError), you should already be on 1.6.10 or later; this advisory is independent of that fix.
Suggested fix
The attached fix-oidc-open-redirect.patch reorders each method to delegate to its super (or call validate_code_authorization_request for Hybrid) first, and then performs the openid-scope check with the validated redirect_uri variable.
# authlib/oidc/core/grants/implicit.py
def validate_authorization_request(self):
redirect_uri = super().validate_authorization_request() # runs client + redirect_uri validation
if not is_openid_scope(self.request.payload.scope):
raise InvalidScopeError(
"Missing 'openid' scope",
redirect_uri=redirect_uri, # validated
redirect_fragment=True,
)
try:
validate_nonce(self.request, self.exists_nonce, required=True)
except OAuth2Error as error:
error.redirect_uri = redirect_uri
error.redirect_fragment = True
raise error
return redirect_uri
An equivalent transform is applied to OpenIDHybridGrant.validate_authorization_request, invoking validate_code_authorization_request first and only then checking is_openid_scope.
Alternatively, inline a client = query_client(request.payload.client_id) + client.check_redirect_uri(request.payload.redirect_uri) guard before populating redirect_uri on the error — the pattern used in 3be08468.
The patch also adds regression tests analogous to test_unsupported_response_type_does_not_redirect from commit 3be08468, asserting rv.status_code == 400 and rv.headers.get("Location") is None for an unregistered redirect_uri with a non-openid scope.
Workarounds
No clean server-side workaround exists short of patching. Partial mitigations:
- Unregister
OpenIDImplicitGrantandOpenIDHybridGrantif the Implicit and Hybrid flows are not required. (RFC 9700 deprecates the Implicit flow and discourages Hybrid flows, so this is recommended anyway.) - Front the
/authorizeendpoint with a reverse proxy rule that rejects requests containing both aredirect_uriparameter and ascopethat does not includeopenidwhenresponse_typematches the vulnerable set. This is fragile and not recommended as a primary control.
References
- RFC 6749, §4.1.2.1 — Error Response (OAuth 2.0 authorization endpoint)
- RFC 9700, §4.11 — Redirect URI validation
- OpenID Connect Core 1.0, §3.2.2.6 / §3.3.2.6 — Authentication Error Response
- Authlib commit
3be08468— prior fix for the same class of issue inUnsupportedResponseTypeError(Authlib 1.6.10) - Authlib source (by symbol; verified in commit
5d2e603e): OpenIDImplicitGrant.validate_authorization_request—authlib/oidc/core/grants/implicit.pyOpenIDHybridGrant.validate_authorization_request—authlib/oidc/core/grants/hybrid.pyOAuth2Error.__call__—authlib/oauth2/base.py(renders errors withredirect_urias HTTP 302)AuthorizationEndpointMixin.validate_authorization_redirect_uri—authlib/oauth2/rfc6749/grants/base.py(the validation that is bypassed)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "authlib"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.7.0"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.11"
},
"package": {
"ecosystem": "PyPI",
"name": "authlib"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44681"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-13T01:36:03Z",
"nvd_published_at": "2026-05-27T20:16:37Z",
"severity": "MODERATE"
},
"details": "### Summary\n\nAn unauthenticated open redirect in Authlib\u0027s `OpenIDImplicitGrant` and `OpenIDHybridGrant` authorization endpoint lets a remote attacker cause the authorization server to issue an HTTP 302 to an attacker-chosen URL by submitting an authorization request that omits the `openid` scope.\n\n### Details\n\n#### Vulnerable code\n\n`OpenIDImplicitGrant.validate_authorization_request` in `authlib/oidc/core/grants/implicit.py`:\n\n```python\ndef validate_authorization_request(self):\n if not is_openid_scope(self.request.payload.scope):\n raise InvalidScopeError(\n \"Missing \u0027openid\u0027 scope\",\n redirect_uri=self.request.payload.redirect_uri, # \u2190 raw, unvalidated\n redirect_fragment=True,\n )\n redirect_uri = super().validate_authorization_request()\n ...\n```\n\n`OpenIDHybridGrant.validate_authorization_request` in `authlib/oidc/core/grants/hybrid.py` shares the same pattern.\n\n#### Root cause\n\nBoth methods perform the `openid` scope presence check before delegating to `super().validate_authorization_request()`, which is where `AuthorizationEndpointMixin.validate_authorization_redirect_uri` validates the requested `redirect_uri` against the client\u0027s `check_redirect_uri(...)`. The `InvalidScopeError` thrown by the scope check therefore carries attacker-controlled `self.request.payload.redirect_uri`.\n\n`OAuth2Error.__call__` in `authlib/oauth2/base.py` renders any error with a non-empty `redirect_uri` as an HTTP 302:\n\n```python\ndef __call__(self, uri=None):\n if self.redirect_uri:\n params = self.get_body()\n loc = add_params_to_uri(self.redirect_uri, params, self.redirect_fragment)\n return 302, \"\", [(\"Location\", loc)]\n return super().__call__(uri=uri)\n```\n\nA malformed authorization request that selects `OpenIDImplicitGrant` or `OpenIDHybridGrant` and omits the `openid` scope is therefore redirected to a fully attacker-chosen URL.\n\nThis is a variant of the issue fixed in commit [`3be08468`](https://github.com/authlib/authlib/commit/3be08468) (\"fix: redirecting to unvalidated `redirect_uri` on `UnsupportedResponseTypeError`\") that was missed in the OIDC Implicit and Hybrid grants.\n\n#### Preconditions\n\n1. The server registers `OpenIDImplicitGrant` or `OpenIDHybridGrant` (standard OIDC Implicit or Hybrid flow support).\n2. The attacker\u0027s request uses a `response_type` that matches either grant: `id_token`, `id_token token`, `code id_token`, `code token`, or `code id_token token`.\n3. `scope` does not contain `openid`.\n4. Any `redirect_uri` value.\n\nNo user authentication, no consent, no valid session, no CSRF token, and \u2014 notably \u2014 no valid `client_id` are required. The scope check runs before any client lookup, so any `client_id` value (including nonexistent ones) reaches the vulnerable code path.\n\n### PoC\n\nThe following unauthenticated GET is sufficient to induce the authorization server to redirect a victim\u0027s browser to an attacker-controlled URL:\n\n```\nGET /oauth/authorize\n ?response_type=id_token\n \u0026client_id=anything\n \u0026scope=profile\n \u0026redirect_uri=https%3A%2F%2Fevil.example.com%2Fphish\n \u0026state=s\u0026nonce=n HTTP/1.1\nHost: victim-op.example\n```\n\nServer response:\n\n```\nHTTP/1.1 302 Found\nLocation: https://evil.example.com/phish#error=invalid_scope\u0026error_description=Missing+%27openid%27+scope\u0026state=s\n```\n\n### Impact\n\n- Open redirect from a trusted authorization server origin. Victims receiving a phishing link see the legitimate OIDC provider\u0027s domain in the URL bar at the moment they click. The authorization server itself issues the 302 to the attacker\u0027s page, lending the attacker\u0027s landing page the OP\u0027s reputation and potentially satisfying domain-allow-list controls that trust the OP.\n- Phishing / credential harvesting leverage. The attacker\u0027s page can mimic the legitimate OP\u0027s consent screen or a relying-party error page to solicit credentials, MFA codes, or to continue a downstream confused-deputy attack.\n- RFC violation. RFC 6749 \u00a74.1.2.1 and RFC 9700 (OAuth 2.0 Security BCP) \u00a74.11 both state that an authorization server MUST NOT perform redirection to a `redirect_uri` that has not been validated against the client\u0027s registered URIs, even in error responses. The `state` parameter is echoed back, giving the attacker site a stable correlator.\n- No direct token/code leak. This flaw fires before any authorization decision, so no authorization codes, ID tokens, or access tokens are disclosed. The impact is limited to open-redirect phishing leverage. Combined with other issues (e.g., downstream SSO trust chains) it may contribute to account-takeover chains; on its own it is a Medium-severity open redirect.\n\n#### Affected deployments\n\nAny application using Authlib as an OIDC provider that registers `OpenIDImplicitGrant` and/or `OpenIDHybridGrant` \u2014 i.e. anyone supporting the Implicit flow or the Hybrid flow (`response_type=code id_token`, etc.) \u2014 is affected. Clients of an Authlib-based OP are not directly affected; this is a server-side issue.\n\nAuthorization servers that only register the plain `AuthorizationCodeGrant` (code flow, with or without PKCE and the `OpenIDCode` extension) are not affected by this specific variant: the code-flow grant validates `redirect_uri` before raising scope errors. If you were affected by the sibling issue fixed in `3be08468` (`UnsupportedResponseTypeError`), you should already be on `1.6.10` or later; this advisory is independent of that fix.\n\n### Suggested fix\n\nThe attached `fix-oidc-open-redirect.patch` reorders each method to delegate to its super (or call `validate_code_authorization_request` for Hybrid) first, and then performs the `openid`-scope check with the validated `redirect_uri` variable.\n\n```python\n# authlib/oidc/core/grants/implicit.py\ndef validate_authorization_request(self):\n redirect_uri = super().validate_authorization_request() # runs client + redirect_uri validation\n if not is_openid_scope(self.request.payload.scope):\n raise InvalidScopeError(\n \"Missing \u0027openid\u0027 scope\",\n redirect_uri=redirect_uri, # validated\n redirect_fragment=True,\n )\n try:\n validate_nonce(self.request, self.exists_nonce, required=True)\n except OAuth2Error as error:\n error.redirect_uri = redirect_uri\n error.redirect_fragment = True\n raise error\n return redirect_uri\n```\n\nAn equivalent transform is applied to `OpenIDHybridGrant.validate_authorization_request`, invoking `validate_code_authorization_request` first and only then checking `is_openid_scope`.\n\nAlternatively, inline a `client = query_client(request.payload.client_id)` + `client.check_redirect_uri(request.payload.redirect_uri)` guard before populating `redirect_uri` on the error \u2014 the pattern used in `3be08468`.\n\nThe patch also adds regression tests analogous to `test_unsupported_response_type_does_not_redirect` from commit `3be08468`, asserting `rv.status_code == 400` and `rv.headers.get(\"Location\") is None` for an unregistered `redirect_uri` with a non-`openid` scope.\n\n### Workarounds\n\nNo clean server-side workaround exists short of patching. Partial mitigations:\n\n- Unregister `OpenIDImplicitGrant` and `OpenIDHybridGrant` if the Implicit and Hybrid flows are not required. (RFC 9700 deprecates the Implicit flow and discourages Hybrid flows, so this is recommended anyway.)\n- Front the `/authorize` endpoint with a reverse proxy rule that rejects requests containing both a `redirect_uri` parameter and a `scope` that does not include `openid` when `response_type` matches the vulnerable set. This is fragile and not recommended as a primary control.\n\n### References\n\n- RFC 6749, \u00a74.1.2.1 \u2014 Error Response (OAuth 2.0 authorization endpoint)\n- RFC 9700, \u00a74.11 \u2014 Redirect URI validation\n- OpenID Connect Core 1.0, \u00a73.2.2.6 / \u00a73.3.2.6 \u2014 Authentication Error Response\n- Authlib commit [`3be08468`](https://github.com/authlib/authlib/commit/3be08468) \u2014 prior fix for the same class of issue in `UnsupportedResponseTypeError` (Authlib 1.6.10)\n- Authlib source (by symbol; verified in commit `5d2e603e`):\n - `OpenIDImplicitGrant.validate_authorization_request` \u2014 `authlib/oidc/core/grants/implicit.py`\n - `OpenIDHybridGrant.validate_authorization_request` \u2014 `authlib/oidc/core/grants/hybrid.py`\n - `OAuth2Error.__call__` \u2014 `authlib/oauth2/base.py` (renders errors with `redirect_uri` as HTTP 302)\n - `AuthorizationEndpointMixin.validate_authorization_redirect_uri` \u2014 `authlib/oauth2/rfc6749/grants/base.py` (the validation that is bypassed)",
"id": "GHSA-r95x-qfjj-fjj2",
"modified": "2026-06-08T23:53:47Z",
"published": "2026-05-13T01:36:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authlib/authlib/security/advisories/GHSA-r95x-qfjj-fjj2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44681"
},
{
"type": "PACKAGE",
"url": "https://github.com/authlib/authlib"
},
{
"type": "WEB",
"url": "https://github.com/authlib/authlib/releases/tag/v1.6.12"
},
{
"type": "WEB",
"url": "https://github.com/authlib/authlib/releases/tag/v1.7.1"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/authlib/PYSEC-2026-188.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Authlib OIDC Implicit/Hybrid Authorization Vulnerable to Open Redirect"
}
GHSA-R992-XPH6-H7X2
Vulnerability from github – Published: 2022-02-12 00:00 – Updated: 2022-02-23 21:57microweber prior to 1.2.11 is vulnerable to open redirect.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "microweber/microweber"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.11"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0560"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2022-02-14T22:49:46Z",
"nvd_published_at": "2022-02-11T13:15:00Z",
"severity": "MODERATE"
},
"details": "microweber prior to 1.2.11 is vulnerable to open redirect.",
"id": "GHSA-r992-xph6-h7x2",
"modified": "2022-02-23T21:57:38Z",
"published": "2022-02-12T00:00:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0560"
},
{
"type": "WEB",
"url": "https://github.com/microweber/microweber/commit/72d4b12cc487f56a859a8570ada4efb77b4b8c63"
},
{
"type": "PACKAGE",
"url": "https://github.com/microweber/microweber"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/c9d586e7-0fa1-47ab-a2b3-b890e8dc9b25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open redirect in microweber"
}
GHSA-R9QJ-Q2G9-R74R
Vulnerability from github – Published: 2025-11-12 18:31 – Updated: 2025-11-12 18:31In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the return_to parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.
{
"affected": [],
"aliases": [
"CVE-2025-20378"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-12T18:15:34Z",
"severity": "LOW"
},
"details": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, 9.2.9, and Splunk Cloud Platform versions below 10.0.2503.5, 9.3.2411.111, and 9.3.2408.121, an unauthenticated attacker could craft a malicious URL using the `return_to` parameter of the Splunk Web login endpoint. When an authenticated user visits the malicious URL, it could cause an unvalidated redirect to an external malicious site. To be successful, the attacker has to trick the victim into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.",
"id": "GHSA-r9qj-q2g9-r74r",
"modified": "2025-11-12T18:31:25Z",
"published": "2025-11-12T18:31:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20378"
},
{
"type": "WEB",
"url": "https://advisory.splunk.com/advisories/SVD-2025-1101"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-R9R9-WG76-6QMQ
Vulnerability from github – Published: 2026-07-15 12:32 – Updated: 2026-07-15 12:32The Grav API plugin (grav-plugin-api) before 1.0.4 does not validate the origin of the client-supplied admin_base_url field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl() function only checks that the URL scheme is http/https and never verifies the host against the server's own origin, so an attacker can supply an arbitrary host. As a result, an unauthenticated attacker can cause the password reset email sent to a victim to contain a reset link pointing at an attacker-controlled server; when the victim follows the link, the valid reset token is disclosed to the attacker, enabling full account takeover. The vulnerable base URL can also be influenced via the Referer or Origin headers.
{
"affected": [],
"aliases": [
"CVE-2026-61451"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-15T12:18:19Z",
"severity": "CRITICAL"
},
"details": "The Grav API plugin (grav-plugin-api) before 1.0.4 does not validate the origin of the client-supplied admin_base_url field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl() function only checks that the URL scheme is http/https and never verifies the host against the server\u0027s own origin, so an attacker can supply an arbitrary host. As a result, an unauthenticated attacker can cause the password reset email sent to a victim to contain a reset link pointing at an attacker-controlled server; when the victim follows the link, the valid reset token is disclosed to the attacker, enabling full account takeover. The vulnerable base URL can also be influenced via the Referer or Origin headers.",
"id": "GHSA-r9r9-wg76-6qmq",
"modified": "2026-07-15T12:32:04Z",
"published": "2026-07-15T12:32:04Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getgrav/grav/security/advisories/GHSA-5xc4-j99p-cp4m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-61451"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/grav-before-password-reset-token-poisoning-via-admin-base-url"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-RC3X-JF5G-XVC5
Vulnerability from github – Published: 2022-02-26 00:00 – Updated: 2022-03-09 21:08Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "karma"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "6.3.16"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-23495"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-01T19:17:53Z",
"nvd_published_at": "2022-02-25T20:15:00Z",
"severity": "MODERATE"
},
"details": "Karma before 6.3.16 is vulnerable to Open Redirect due to missing validation of the return_url query parameter.",
"id": "GHSA-rc3x-jf5g-xvc5",
"modified": "2022-03-09T21:08:20Z",
"published": "2022-02-26T00:00:38Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23495"
},
{
"type": "WEB",
"url": "https://github.com/karma-runner/karma/commit/ff7edbb2ffbcdd69761bece86b7dc1ef0740508d"
},
{
"type": "PACKAGE",
"url": "https://github.com/karma-runner/karma"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2412347"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-JS-KARMA-2396325"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Open redirect in karma"
}
GHSA-RCH3-82JR-F9W9
Vulnerability from github – Published: 2026-04-30 17:25 – Updated: 2026-05-08 19:26Impact
A stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls (single click interaction).
The vulnerability enables complete account takeover through the Jupyter REST API, allowing the attacker to: 1. Read all files 2. Modify/create files 3. Access running kernels and execute arbitrary code 4. Create terminals for shell access
Patches
Jupyter Notebook 7.5.6 and JupyterLab 4.5.7 include patches for this vulnerability.
Workarounds
The help extension can be disabled via CLI:
jupyter labextension disable @jupyter-notebook/help-extension
jupyter labextension disable @jupyterlab/help-extension
Hardening
The patched versions include a toggle to disable the command linker functionality altogether, for example via overrides.json:
{
"@jupyterlab/apputils-extension:sanitizer": {
"allowCommandLinker": false
}
}
Resources
- https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files
Acknowledgments
Reported by Daniel Teixeira - NVIDIA AI Red Team
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.5"
},
"package": {
"ecosystem": "npm",
"name": "@jupyter-notebook/help-extension"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 7.5.5"
},
"package": {
"ecosystem": "PyPI",
"name": "notebook"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.6"
},
"package": {
"ecosystem": "PyPI",
"name": "jupyterlab"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.6"
},
"package": {
"ecosystem": "npm",
"name": "@jupyterlab/help-extension"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40171"
],
"database_specific": {
"cwe_ids": [
"CWE-601",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-30T17:25:47Z",
"nvd_published_at": "2026-05-06T20:16:31Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA stored Cross-Site Scripting (XSS) vulnerability in Jupyter Notebook allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls (single click interaction).\n\nThe vulnerability enables complete account takeover through the Jupyter REST API, allowing the attacker to:\n1. Read all files\n2. Modify/create files\n3. Access running kernels and execute arbitrary code\n4. Create terminals for shell access\n\n### Patches\n\nJupyter Notebook 7.5.6 and JupyterLab 4.5.7 include patches for this vulnerability.\n\n### Workarounds\n\nThe help extension can be disabled via CLI:\n\n```\njupyter labextension disable @jupyter-notebook/help-extension\njupyter labextension disable @jupyterlab/help-extension\n```\n\n### Hardening\n\nThe patched versions include a toggle to disable the command linker functionality altogether, for example via `overrides.json`:\n\n```json\n{\n \"@jupyterlab/apputils-extension:sanitizer\": {\n \"allowCommandLinker\": false\n }\n}\n```\n\n### Resources\n\n- https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files\n\n### Acknowledgments\n\nReported by Daniel Teixeira - NVIDIA AI Red Team",
"id": "GHSA-rch3-82jr-f9w9",
"modified": "2026-05-08T19:26:04Z",
"published": "2026-04-30T17:25:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jupyter/notebook/security/advisories/GHSA-rch3-82jr-f9w9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40171"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter/notebook"
},
{
"type": "WEB",
"url": "https://jupyterlab.readthedocs.io/en/latest/user/commands.html#commands-in-markdown-output-and-files"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS"
}
GHSA-RCMJ-XP8F-F6Q4
Vulnerability from github – Published: 2022-05-01 23:55 – Updated: 2025-04-09 18:53Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter, possibly related to the quickjump function.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "trac"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.10.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2008-2951"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-22T18:59:27Z",
"nvd_published_at": "2008-07-27T22:41:00Z",
"severity": "MODERATE"
},
"details": "Open redirect vulnerability in the search script in Trac before 0.10.5 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the q parameter, possibly related to the quickjump function.",
"id": "GHSA-rcmj-xp8f-f6q4",
"modified": "2025-04-09T18:53:52Z",
"published": "2022-05-01T23:55:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2008-2951"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/44043"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/trac/PYSEC-2008-4.yaml"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-July/msg01261.html"
},
{
"type": "WEB",
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-July/msg01270.html"
},
{
"type": "WEB",
"url": "http://holisticinfosec.org/content/view/72/45"
},
{
"type": "WEB",
"url": "http://trac.edgewall.org/wiki/ChangeLog"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Trac Open Redirect vulnerability"
}
GHSA-RCX2-M7JP-P9WJ
Vulnerability from github – Published: 2019-04-09 19:47 – Updated: 2024-09-26 14:16In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "notebook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.7.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10856"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:54:28Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "In Jupyter Notebook before 5.7.8, an open redirect can occur via an empty netloc. This issue exists because of an incomplete fix for CVE-2019-10255.",
"id": "GHSA-rcx2-m7jp-p9wj",
"modified": "2024-09-26T14:16:05Z",
"published": "2019-04-09T19:47:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10856"
},
{
"type": "WEB",
"url": "https://github.com/jupyter/notebook/commit/979e0bd15e794ceb00cc63737fcd5fd9addc4a99"
},
{
"type": "WEB",
"url": "https://blog.jupyter.org/open-redirect-vulnerability-in-jupyter-jupyterhub-adf43583f1e4"
},
{
"type": "PACKAGE",
"url": "https://github.com/jupyter/notebook"
},
{
"type": "WEB",
"url": "https://github.com/jupyter/notebook/compare/16cf97c...b8e30ea"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/notebook/PYSEC-2019-158.yaml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Jupyter Notebook open redirect vulnerability"
}
GHSA-RCXH-CXJX-W475
Vulnerability from github – Published: 2023-01-30 21:30 – Updated: 2023-02-07 18:30The SAML SSO Standard WordPress plugin version 16.0.0 before 16.0.8, SAML SSO Premium WordPress plugin version 12.0.0 before 12.1.0 and SAML SSO Premium Multisite WordPress plugin version 20.0.0 before 20.0.7 does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in.
{
"affected": [],
"aliases": [
"CVE-2022-4496"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-01-30T21:15:00Z",
"severity": "MODERATE"
},
"details": "The SAML SSO Standard WordPress plugin version 16.0.0 before 16.0.8, SAML SSO Premium WordPress plugin version 12.0.0 before 12.1.0 and SAML SSO Premium Multisite WordPress plugin version 20.0.0 before 20.0.7 does not validate that the redirect parameter to its SSO login endpoint points to an internal site URL, making it vulnerable to an Open Redirect issue when the user is already logged in.",
"id": "GHSA-rcxh-cxjx-w475",
"modified": "2023-02-07T18:30:18Z",
"published": "2023-01-30T21:30:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4496"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/af2e30c7-0787-4fe2-97ee-bc616f7178a1"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/be21f355-0e5b-4ad7-9d8f-85e9a0101ddc"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/e6c4c8c7-1dcd-45bf-8582-f12accca6fac"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Use a list of approved URLs or domains to be used for redirection.
Mitigation
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Mitigation MIT-21.2
Strategy: Enforcement by Conversion
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Mitigation MIT-6
Strategy: Attack Surface Reduction
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.