CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-55252

mediumcovered by 1 sourcefirst seen 2026-07-09
Summary The restrictions on redirect URLs in openrun can be bypassed by attackers, leading to open redirect attacks. Details In the current project, the referrer header value is used for subsequent redirects, so there is currently a validation for this redirect value. The current validation logic requires that the host and schema of the redirect URL be the same as the current website's URL, and finally, the path part is used for redirection. This check seems robust, but it can still be bypassed by attackers. <img width="1606" height="1346" alt="QQ20260602-140205-2-2" src="https://github.com/user-attachments/assets/83c549f3-38d7-444d-90f0-131d806f67ff" /> Here's the problem: Assuming the current website is http://127.0.0.1:25222/, if the attacker passes in a redirect URL of http://127.0.0.1:25222//fushuling.com, its host and schema are obviously the same as the current website, thus bypassing the verification. However, the issue lies in the final redirect URL, which is the path part of the URL, i.e., //fushuling.com. Browsers automatically complete the HTTP header for URLs starting with //, ultimately successfully bypassing the restriction and redirecting to the external address http://fushuling.com. This vulnerable behavior was successfully reproduced locally. Normally, specifying an external address directly will be blocked, so it will not redirect. <img width="1587" height="717" alt="QQ20260602-140756-2-3" src="https://github.com/user-attachments/assets/51430c42-bd10-401b-9c9f-27a91a0bc648" /> However, if the redirect URL is http://127.0.0.1:25222//fushuling.com, the existing validation logic is bypassed, and the Location header is successfully set to //fushuling.com. POST /redirecttest/abc/frag HTTP/1.1 Host: 127.0.0.1:25222 Referer: http://127.0.0.1:25222//fushuling.com Cache-Control: max-age=0 sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Wind

⚡ Watch CVE-2026-55252

Get an email if CVE-2026-55252 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-55252

CVE.org record

Embed the live status

CVE-2026-55252 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-55252 status](https://www.csirts.com/badge/CVE-2026-55252)](https://www.csirts.com/cve/CVE-2026-55252)