Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered via crafted URL with no prerequisites (AV:N/AC:L/PR:N); victim must click and authenticate (UI:R); post-auth redirect crosses trust boundary to external domain (S:C); impact limited to phishing surface (C:L/I:L/A:N).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Redash is a package for data visualization and sharing. From 5.0.2 to 26.3.0, the get_next_path() function in Redash's authentication module stripped the scheme and netloc from user-supplied next parameters but did not normalize multiple leading slashes, allowing a crafted login URL such as /login?next=////evil.com to redirect users to an external attacker-controlled site after authentication.
AnalysisAI
Open redirect in Redash versions 5.0.2 through 26.3.0 allows unauthenticated attackers to craft a login URL that silently forwards authenticated users to an attacker-controlled external site. The flaw in get_next_path() stripped scheme and netloc from the next parameter but failed to reject or normalize URLs with three or more leading slashes - a pattern browsers interpret as an absolute external reference (e.g., /login?next=////evil.com). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The login endpoint must be reachable by the attacker (directly or via a link delivered to an internal user). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.1 score (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) correctly reflects a network-exploitable, low-complexity, unauthenticated attack that requires one click from the victim and produces a changed scope - the post-login redirect exits the Redash trust boundary to an attacker domain. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends a targeted phishing message to a data analyst with a link to https://redash.company.com/login?next=////attacker.com/fake-dashboard. The analyst clicks the link, authenticates normally against the real Redash instance, and is immediately forwarded to attacker.com - a page styled to look like Redash that prompts for re-authentication or delivers a browser exploit. … |
| Remediation | Apply the upstream fix available as commit 9e66f81673c482d9ae6c425afe009644114605d0 in the Redash repository (https://github.com/getredash/redash/commit/9e66f81673c482d9ae6c425afe009644114605d0); a tagged patched release version is not independently confirmed from available data - consult the advisory at https://github.com/getredash/redash/security/advisories/GHSA-rfgc-hc86-pxrv for the official fixed release before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44686