Skip to main content

Open Redirect EUVDEUVD-2026-17546

| CVE-2026-32113 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-03-31 GitHub_M
5.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2026.1.3,2026.3.0,2026.2.2
EUVD ID Assigned
Mar 31, 2026 - 18:16 euvd
EUVD-2026-17546
Analysis Generated
Mar 31, 2026 - 18:16 vuln.today
CVE Published
Mar 31, 2026 - 17:39 nvd
MEDIUM 5.1

DescriptionGitHub Advisory

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true without validating the destination URL. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies are client-controlled and can be set by attackers. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.

AnalysisAI

Open redirect vulnerability in Discourse versions 2026.1.0 through 2026.3.0 allows unauthenticated remote attackers to redirect users to arbitrary destinations via a malicious sso_destination_url cookie, exploiting a lack of URL validation in the StaticController enter action. While the cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographic validation, attackers can directly set client-controlled cookies to bypass validation logic. The vulnerability requires user interaction (clicking a crafted link) and persistence of attacker-controlled cookies to exploit, but successful exploitation can be used for credential harvesting or phishing attacks. No public exploit code or active exploitation has been confirmed at time of analysis. Patched versions 2026.1.3, 2026.2.2, and 2026.3.0 are available.

Technical ContextAI

The vulnerability stems from improper URL validation in Discourse's StaticController, specifically in the enter action which processes SSO redirects. The underlying root cause is CWE-601 (URL Redirection to Untrusted Site, Open Redirect), where the application reads the client-controlled sso_destination_url cookie and performs a redirect with allow_other_host: true without validating that the destination is a trusted domain. While DiscourseConnect Provider flows normally cryptographically validate SSO payloads before setting this cookie, the application does not distinguish between legitimately-set cookies and attacker-injected ones. This is a classic open redirect vulnerability where the trust boundary is incorrectly placed-the application assumes cookie presence implies prior validation, but cookies are inherently client-controlled and can be forged or modified by attackers. The affected product is Discourse (cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*), an open-source discussion platform written in Ruby on Rails, affecting all 2026.x versions within the specified ranges.

RemediationAI

Upgrade to patched versions immediately: Discourse 2026.1.3 or later (for 2026.1.x installations), 2026.2.2 or later (for 2026.2.x installations), or 2026.3.0 final release or later (for 2026.3.x installations). The upstream fix adds proper URL validation to the sso_destination_url cookie processing logic to ensure redirect destinations are trusted hosts before issuing redirects. No workarounds are available short of patches. Self-hosted administrators should update through their standard deployment process (typically Docker or source rebuild); managed Discourse instances are typically updated automatically by Discourse hosting providers. Consult the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-378j-ccw4-4fwh and the Discourse Meta post on SSO provider implementation at https://meta.discourse.org/t/using-discourse-as-a-sso-provider/32974 for additional context on SSO flows and validation expectations.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-17546 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy