Skip to main content

Probo saferedirect CVE-2026-49820

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-30 https://github.com/getprobo/probo GHSA-x7qq-m748-8p2c
4.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.7 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
vuln.today AI
4.7 MEDIUM

Network-delivered redirect requiring victim click; no attacker auth needed; scope changes to victim browser; integrity-only impact via host-separator bypass.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 30, 2026 - 19:21 vuln.today

DescriptionGitHub Advisory

Impact

Probo's saferedirect package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the second character is .. Go's http.Redirect normalizes this path to /\evil.com before setting the Location header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a continue parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.

Patches

Fixed in go.probo.inc/probo by normalizing relative paths with path.Clean before validation, rejecting backslashes (including percent-encoded %5c) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.

Self-hosted deployments should upgrade to probod v0.194.1 or later.

SaaS deployments on getprobo.com are patched.

Workarounds

No practical workaround for self-hosted installations. Upgrade to the patched release.

AnalysisAI

Open redirect in Probo's saferedirect package allows unauthenticated remote attackers to bypass same-origin URL validation across all authentication flows - OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. A crafted URL such as /../\evil.com passes the flawed second-character check, and Go's http.Redirect normalizer collapses it to /\evil.com before setting the Location header; browsers then interpret the backslash as a host separator and navigate victims to an attacker-controlled domain. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft continue parameter with /../\evil.com payload
Delivery
Embed URL in phishing link targeting Probo login
Exploit
Victim clicks link and authenticates normally
Install
saferedirect validator passes second-character check
C2
Go http.Redirect normalizes path to /\evil.com
Execute
Browser interprets backslash as host separator
Impact
Victim redirected to attacker-controlled domain

Vulnerability AssessmentAI

Exploitation A victim user must click a specially crafted link containing a malicious redirect parameter - user interaction (UI:R per CVSS) is mandatory and passive server-side exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.7 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) accurately reflects a moderate-severity open redirect: network-reachable, trivially exploitable, no authentication required, but contingent on victim interaction and producing only integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a phishing email containing a Probo login URL with a malicious continue parameter, e.g., https://auth.probo.example.com/login?continue=/../%5cevil.com. A target user clicks the link, completes normal authentication against the legitimate Probo domain, and is silently redirected by the browser to the attacker-controlled site - which may mirror the Probo UI to harvest credentials or session cookies. …
Remediation Self-hosted deployments must upgrade to probod v0.194.1 or later, available from the upstream repository at https://github.com/getprobo/probo. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-49820 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy