Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, the enter action in StaticController reads the sso_destination_url cookie and redirects to it with allow_other_host: true without validating the destination URL. While this cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographically validated SSO payloads, cookies are client-controlled and can be set by attackers. This issue has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0.
AnalysisAI
Open redirect vulnerability in Discourse versions 2026.1.0 through 2026.3.0 allows unauthenticated remote attackers to redirect users to arbitrary destinations via a malicious sso_destination_url cookie, exploiting a lack of URL validation in the StaticController enter action. While the cookie is normally set during legitimate DiscourseConnect Provider flows with cryptographic validation, attackers can directly set client-controlled cookies to bypass validation logic. The vulnerability requires user interaction (clicking a crafted link) and persistence of attacker-controlled cookies to exploit, but successful exploitation can be used for credential harvesting or phishing attacks. No public exploit code or active exploitation has been confirmed at time of analysis. Patched versions 2026.1.3, 2026.2.2, and 2026.3.0 are available.
Technical ContextAI
The vulnerability stems from improper URL validation in Discourse's StaticController, specifically in the enter action which processes SSO redirects. The underlying root cause is CWE-601 (URL Redirection to Untrusted Site, Open Redirect), where the application reads the client-controlled sso_destination_url cookie and performs a redirect with allow_other_host: true without validating that the destination is a trusted domain. While DiscourseConnect Provider flows normally cryptographically validate SSO payloads before setting this cookie, the application does not distinguish between legitimately-set cookies and attacker-injected ones. This is a classic open redirect vulnerability where the trust boundary is incorrectly placed-the application assumes cookie presence implies prior validation, but cookies are inherently client-controlled and can be forged or modified by attackers. The affected product is Discourse (cpe:2.3:a:discourse:discourse:*:*:*:*:*:*:*:*), an open-source discussion platform written in Ruby on Rails, affecting all 2026.x versions within the specified ranges.
RemediationAI
Upgrade to patched versions immediately: Discourse 2026.1.3 or later (for 2026.1.x installations), 2026.2.2 or later (for 2026.2.x installations), or 2026.3.0 final release or later (for 2026.3.x installations). The upstream fix adds proper URL validation to the sso_destination_url cookie processing logic to ensure redirect destinations are trusted hosts before issuing redirects. No workarounds are available short of patches. Self-hosted administrators should update through their standard deployment process (typically Docker or source rebuild); managed Discourse instances are typically updated automatically by Discourse hosting providers. Consult the GitHub Security Advisory at https://github.com/discourse/discourse/security/advisories/GHSA-378j-ccw4-4fwh and the Discourse Meta post on SSO provider implementation at https://meta.discourse.org/t/using-discourse-as-a-sso-provider/32974 for additional context on SSO flows and validation expectations.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17546