Affine
CVE-2026-21853
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim’s machine, without further interaction. This issue has been patched in version 0.25.4.
AnalysisAI
Remote code execution in AFFiNE workspace application (versions prior to 0.25.4) allows unauthenticated attackers to execute arbitrary code via malicious affine: URL handlers. Exploitation requires one user click on a crafted link or visiting a malicious website that auto-redirects to the malicious URL. The browser's custom protocol handler automatically launches AFFiNE and processes the payload without further user interaction, achieving RCE. EPSS score of 0.17% (38th percentile) suggests low observed exploitation activity. GitHub security advisory GHSA-67vm-2mcj-8965 confirms the vulnerability with upstream fix available in commit c9a4129a via PR #13864.
Technical ContextAI
This vulnerability exploits AFFiNE's custom URL protocol handler (affine: scheme) registered with the operating system. Custom protocol handlers allow web browsers to launch desktop applications when specific URL schemes are encountered. The vulnerability stems from CWE-94 (Improper Control of Generation of Code / Code Injection), where the application fails to properly sanitize or validate data passed through the affine: URL scheme before processing it. When a crafted URL is invoked, the browser passes the malicious payload directly to the AFFiNE application, which executes embedded code without sufficient input validation. This attack pattern is common in Electron-based applications and similar desktop software that register custom protocol handlers. The affected product is AFFiNE workspace (cpe:2.3:a:affine:affine), an open-source productivity application, with all versions before 0.25.4 vulnerable.
RemediationAI
Upgrade AFFiNE to version 0.25.4 or later, which contains the complete fix implemented in commit c9a4129a3e9376b688c18e1dcd6c87a775caac80 via pull request #13864. Organizations should prioritize patching internet-facing deployments and systems used by users who access external web content or untrusted user-generated content platforms. If immediate upgrade is not feasible, implement browser-level mitigations by disabling or unregistering the affine: protocol handler from the operating system (methods vary by OS: Windows Registry modification, macOS Launch Services, Linux .desktop file removal), though this prevents legitimate affine: link functionality and may disrupt normal workflow integration features. Network-level URL filtering to block affine: schemes at web proxies provides defense-in-depth but requires users to access AFFiNE through controlled channels. User awareness training about not clicking unknown links provides minimal protection given the one-click exploitation model. Patch advisory and technical details: https://github.com/toeverything/AFFiNE/security/advisories/GHSA-67vm-2mcj-8965 and https://github.com/toeverything/AFFiNE/pull/13864.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today