Skip to main content

openrun CVE-2026-55252

MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-07-09 https://github.com/openrundev/openrun GHSA-h5g6-xmh4-hc37
Share

Severity by source

vuln.today AI
4.3 MEDIUM

Network-accessible, no privileges needed; UI:R because victim must follow crafted link; I:L for deceptive redirect; no confidentiality or availability impact on the server.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Estimated by vuln.today — no official severity rating has been published for this CVE yet.

Lifecycle Timeline

1
Analysis Generated
Jul 09, 2026 - 23:51 vuln.today

DescriptionCVE.org

Summary

The restrictions on redirect URLs in openrun can be bypassed by attackers, leading to open redirect attacks.

Details

In the current project, the referrer header value is used for subsequent redirects, so there is currently a validation for this redirect value. The current validation logic requires that the host and schema of the redirect URL be the same as the current website's URL, and finally, the path part is used for redirection. This check seems robust, but it can still be bypassed by attackers.

<img width="1606" height="1346" alt="QQ20260602-140205-2-2" src="https://github.com/user-attachments/assets/83c549f3-38d7-444d-90f0-131d806f67ff" />

Here's the problem: Assuming the current website is http://127.0.0.1:25222/, if the attacker passes in a redirect URL of http://127.0.0.1:25222//fushuling.com, its host and schema are obviously the same as the current website, thus bypassing the verification. However, the issue lies in the final redirect URL, which is the path part of the URL, i.e., //fushuling.com.

Browsers automatically complete the HTTP header for URLs starting with //, ultimately successfully bypassing the restriction and redirecting to the external address http://fushuling.com.

This vulnerable behavior was successfully reproduced locally. Normally, specifying an external address directly will be blocked, so it will not redirect.

<img width="1587" height="717" alt="QQ20260602-140756-2-3" src="https://github.com/user-attachments/assets/51430c42-bd10-401b-9c9f-27a91a0bc648" />

However, if the redirect URL is http://127.0.0.1:25222//fushuling.com, the existing validation logic is bypassed, and the Location header is successfully set to //fushuling.com.

POST /redirecttest/abc/frag HTTP/1.1
Host: 127.0.0.1:25222
Referer: http://127.0.0.1:25222//fushuling.com
Cache-Control: max-age=0
sec-ch-ua: "Not(A:Brand";v="24", "Chromium";v="122"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.57 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

<img width="1536" height="729" alt="QQ20260602-140925-2-4" src="https://github.com/user-attachments/assets/31fde919-5f90-409f-8b14-af6c9c71761b" />

The user was then successfully redirected to the external address http://fushuling.com.

<img width="1692" height="855" alt="QQ20260602-141005-2-5" src="https://github.com/user-attachments/assets/83b43ef6-52fa-4218-908b-7795394ae707" />

PoC

http://127.0.0.1:25222//fushuling.com

Impact

Open Redirect

AnalysisAI

Open redirect bypass in openrun prior to v0.17.7 allows remote unauthenticated attackers to redirect victims to arbitrary external URLs by exploiting a double-slash path prefix that evades the application's host/scheme validation. The referrer-based redirect logic correctly validates the host and scheme but passes the extracted path //attacker.com to the Location header, which browsers interpret as a protocol-relative URL and resolve to an external destination. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts URL with double-slash Referer header
Delivery
Victim follows link to openrun redirect endpoint
Exploit
openrun validates host/scheme (check passes)
Execution
Server sets Location: //attacker.com
Persist
Victim browser resolves protocol-relative URL
Impact
Victim redirected to attacker-controlled phishing site

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target is running openrun prior to v0.17.7 with the referrer-based redirect handler (`openrun` redirect endpoint) reachable over the network. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector was provided by NVD or the vendor, so all scoring is independently assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a victim a link to an openrun-hosted endpoint with the Referer header set to `http://[legitimate-host]//attacker-phishing-site.com`. When the victim's browser follows the link and openrun processes the redirect, the host/scheme validation passes, and the server sets `Location: //attacker-phishing-site.com` in the response. …
Remediation Upgrade openrun to v0.17.7 or later, which incorporates the fix in commit 709da784fcf1311c85f30f3542cfa3601a78bbf0 (https://github.com/openrundev/openrun/commit/709da784fcf1311c85f30f3542cfa3601a78bbf0); the release is available at https://github.com/openrundev/openrun/releases/tag/v0.17.7. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-55252 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy