Probo saferedirect CVE-2026-49820
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Network-delivered redirect requiring victim click; no attacker auth needed; scope changes to victim browser; integrity-only impact via host-separator bypass.
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionGitHub Advisory
Impact
Probo's saferedirect package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the second character is .. Go's http.Redirect normalizes this path to /\evil.com before setting the Location header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a continue parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.
Patches
Fixed in go.probo.inc/probo by normalizing relative paths with path.Clean before validation, rejecting backslashes (including percent-encoded %5c) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.
Self-hosted deployments should upgrade to probod v0.194.1 or later.
SaaS deployments on getprobo.com are patched.
Workarounds
No practical workaround for self-hosted installations. Upgrade to the patched release.
AnalysisAI
Open redirect in Probo's saferedirect package allows unauthenticated remote attackers to bypass same-origin URL validation across all authentication flows - OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. A crafted URL such as /../\evil.com passes the flawed second-character check, and Go's http.Redirect normalizer collapses it to /\evil.com before setting the Location header; browsers then interpret the backslash as a host separator and navigate victims to an attacker-controlled domain. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | A victim user must click a specially crafted link containing a malicious redirect parameter - user interaction (UI:R per CVSS) is mandatory and passive server-side exploitation is not possible. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.7 (AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N) accurately reflects a moderate-severity open redirect: network-reachable, trivially exploitable, no authentication required, but contingent on victim interaction and producing only integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a phishing email containing a Probo login URL with a malicious continue parameter, e.g., https://auth.probo.example.com/login?continue=/../%5cevil.com. A target user clicks the link, completes normal authentication against the legitimate Probo domain, and is silently redirected by the browser to the attacker-controlled site - which may mirror the Probo UI to harvest credentials or session cookies. … |
| Remediation | Self-hosted deployments must upgrade to probod v0.194.1 or later, available from the upstream repository at https://github.com/getprobo/probo. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-x7qq-m748-8p2c