GHSA-8W27-C4VC-88Q9

Vulnerability from github – Published: 2026-07-01 19:01 – Updated: 2026-07-01 19:01
VLAI
Summary
Concourse login flow has an open redirect issue
Details

Impact

An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials.

Patches

This has been fixed in 8.2.3

Workarounds

None.

Exploit

Vulnerable code was in: https://github.com/concourse/concourse/blob/ea7b812e3a88fdd070f0faece874e8a2d4fbb31c/skymarshal/skyserver/skyserver.go#L162-L170

The issue stems from the underlying processing logic of Go's url package. Normally, ParseRequestURI() will eventually reach an internal url.setPath() function, where the URL will be decoded. However, if RawPath is not empty and validEncoded(RawPath) is true, and the decoded result equals Path, then return RawPath as is; otherwise, escape Path again, i.e., decode it again.

In other words, if the URL contains dangerous characters that should be escaped, such as backslashes (\), then an extra decoding step will be performed. Therefore, /%2Fexample.com will be parsed as //example.com.

On vulnerable versions of Concourse, add /sky/login?redirect_uri=/%252Fexample.com/\ to your Concourse external URL, login as usual, and you should be redirected to example.com instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/concourse/concourse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1-0.20260526150512-ac60be5f0435"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49826"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-01T19:01:16Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\n\nAn attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user\u0027s credentials.\n\n### Patches\n\nThis has been fixed in 8.2.3\n\n### Workarounds\n\nNone.\n\n### Exploit\n\nVulnerable code was in: https://github.com/concourse/concourse/blob/ea7b812e3a88fdd070f0faece874e8a2d4fbb31c/skymarshal/skyserver/skyserver.go#L162-L170\n\nThe issue stems from the underlying processing logic of Go\u0027s `url` package. Normally, `ParseRequestURI()` will eventually reach an internal `url.setPath()` function, where the URL will be decoded. However, if `RawPath` is not empty and `validEncoded(RawPath)` is true, and the decoded result equals `Path`, then return `RawPath` as is; otherwise, escape `Path` again, i.e., decode it again.\n\nIn other words, if the URL contains dangerous characters that should be escaped, such as backslashes (`\\`), then an extra decoding step will be performed. Therefore, `/%2Fexample.com` will be parsed as `//example.com`.\n\nOn vulnerable versions of Concourse, add `/sky/login?redirect_uri=/%252Fexample.com/\\` to your Concourse external URL, login as usual, and you should be redirected to `example.com` instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.",
  "id": "GHSA-8w27-c4vc-88q9",
  "modified": "2026-07-01T19:01:16Z",
  "published": "2026-07-01T19:01:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/concourse/concourse/security/advisories/GHSA-8w27-c4vc-88q9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/concourse/concourse/commit/ac60be5f0435b6592f5a4fcc089050d72ad2452c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/concourse/concourse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/concourse/concourse/releases/tag/v8.2.3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Concourse login flow has an open redirect issue"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…