Concourse CI CVE-2026-49826
LOWSeverity by source
Network-delivered, low-complexity redirect requiring user interaction; scope changes as victim is sent to external attacker domain with phishing potential.
Lifecycle Timeline
1DescriptionCVE.org
Impact
An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials.
Patches
This has been fixed in 8.2.3
Workarounds
None.
Exploit
Vulnerable code was in: https://github.com/concourse/concourse/blob/ea7b812e3a88fdd070f0faece874e8a2d4fbb31c/skymarshal/skyserver/skyserver.go#L162-L170
The issue stems from the underlying processing logic of Go's url package. Normally, ParseRequestURI() will eventually reach an internal url.setPath() function, where the URL will be decoded. However, if RawPath is not empty and validEncoded(RawPath) is true, and the decoded result equals Path, then return RawPath as is; otherwise, escape Path again, i.e., decode it again.
In other words, if the URL contains dangerous characters that should be escaped, such as backslashes (\), then an extra decoding step will be performed. Therefore, /%2Fexample.com will be parsed as //example.com.
On vulnerable versions of Concourse, add /sky/login?redirect_uri=/%252Fexample.com/\ to your Concourse external URL, login as usual, and you should be redirected to example.com instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.
AnalysisAI
Open redirect in Concourse's web login flow allows a remote unauthenticated attacker to craft a URL that silently redirects an authenticated user to an arbitrary external site upon completing the login process. Concourse versions prior to 8.2.3 are affected via the /sky/login endpoint's redirect_uri parameter. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The victim must be a user of the affected Concourse instance and must click an attacker-crafted URL targeting the `/sky/login` endpoint with a maliciously encoded `redirect_uri` parameter (e.g., `/%252Fexample.com/\`). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No official CVSS vector was assigned to this CVE, so risk signals are limited. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker identifies a Concourse instance and crafts a phishing link such as `https://concourse.example.com/sky/login?redirect_uri=/%252Fattacker.com/\` disguised as a routine CI/CD login link. A developer clicks the link, authenticates normally via Concourse's SSO/OAuth flow, and is silently redirected to an attacker-controlled site mimicking a Concourse dashboard or credential prompt. … |
| Remediation | Upgrade Concourse to v8.2.3, which contains the fix at commit ac60be5f0435b6592f5a4fcc089050d72ad2452c addressing the double-decoding issue in the `redirect_uri` validation logic. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-8w27-c4vc-88q9