CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-49456

lowCVSS 3.1covered by 1 sourcefirst seen 2026-07-08
Summary The unstable_redirect() helper exported from waku/router/server (packages/waku/src/router/define-router.tsx:156–161) accepts an arbitrary string and reflects it unchanged into the HTTP Location response header with no URL validation, scheme restriction, or path-only enforcement. Any application that passes user-controlled input to this helper — the natural pattern documented in the JSDoc and official fixtures — is vulnerable to open redirect attacks. An attacker who convinces a victim to click a crafted link can silently redirect the browser to an arbitrary external domain, enabling phishing, credential harvesting, and OAuth token theft. Additionally, scheme-relative URLs (//evil.example/) bypass naive https?://-only allow-list filters that developers might add as ad-hoc mitigations. Dynamic PoC confirmed against waku 1.0.0-beta.0 (commit 8e9f542) in an isolated Docker environment. Two independent dynamic runs produced identical results. Root Cause packages/waku/src/router/define-router.tsx:156–161: export function unstable_redirect( location: string, // only URL pathname is supported. status: 303 | 307 | 308 = 307, ): never { throw createCustomError('Redirect', { status, location }); } The JSDoc comment states "only URL pathname is supported", but this constraint is expressed as documentation only — the function performs no validation. The location value propagates via createCustomError (custom-errors.ts:22–26) into an error digest, is recovered by getErrorInfo in the request handler (handler.ts:79–89), and reflected directly into headers.location of the outgoing Response with no sanitization: if (info?.location) { headers.location = info.location; // handler.ts:87 — unvalidated reflection } return new Response(body, { status, headers }); Trigger (one-line summary) Any developer-supplied user input passed to unstable_redirect() is reflected unchanged into the HTTP Location header, enabling navigation to an attacker-controlled domain. Affected Entr

⚡ Watch CVE-2026-49456

Get an email if CVE-2026-49456 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-49456

CVE.org record

Embed the live status

CVE-2026-49456 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-49456 status](https://www.csirts.com/badge/CVE-2026-49456)](https://www.csirts.com/cve/CVE-2026-49456)