GHSA-X7QQ-M748-8P2C
Vulnerability from github – Published: 2026-06-30 18:31 – Updated: 2026-06-30 18:31Impact
Probo's saferedirect package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the second character is .. Go's http.Redirect normalizes this path to /\evil.com before setting the Location header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a continue parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.
Patches
Fixed in go.probo.inc/probo by normalizing relative paths with path.Clean before validation, rejecting backslashes (including
percent-encoded %5c) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.
Self-hosted deployments should upgrade to probod v0.194.1 or later.
SaaS deployments on getprobo.com are patched.
Workarounds
No practical workaround for self-hosted installations. Upgrade to the patched release.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "go.probo.inc/probo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.204.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-49820"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-30T18:31:50Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\nProbo\u0027s `saferedirect` package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like `/../\\evil.com` passed validation because the second character is `.`. Go\u0027s `http.Redirect` normalizes this path to `/\\evil.com` before setting the `Location` header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (`https://evil.com`), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a `continue` parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.\n\n### Patches\nFixed in `go.probo.inc/probo` by normalizing relative paths with `path.Clean` before validation, rejecting backslashes (including\npercent-encoded `%5c`) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.\n\nSelf-hosted deployments should upgrade to **probod v0.194.1** or later.\n\nSaaS deployments on getprobo.com are patched.\n\n### Workarounds\nNo practical workaround for self-hosted installations. Upgrade to the patched release.",
"id": "GHSA-x7qq-m748-8p2c",
"modified": "2026-06-30T18:31:50Z",
"published": "2026-06-30T18:31:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/getprobo/probo/security/advisories/GHSA-x7qq-m748-8p2c"
},
{
"type": "PACKAGE",
"url": "https://github.com/getprobo/probo"
},
{
"type": "WEB",
"url": "https://github.com/getprobo/probo/blob/main/SECURITY_NOTES.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Probo has an open redirect bypass via path normalization"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.