Skip to main content

Snipe-IT EUVDEUVD-2026-31965

| CVE-2026-44833 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-08 https://github.com/grokability/snipe-it GHSA-mghp-5cq4-v6mg
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 09, 2026 - 00:00 vuln.today
Analysis Generated
May 09, 2026 - 00:00 vuln.today
CVE Published
May 08, 2026 - 23:25 nvd
MEDIUM 5.9

DescriptionGitHub Advisory

Open redirect vulnerability in Snipe-IT allows attackers to redirect users to malicious sites via unvalidated HTTP Referer header stored in session variable.

Impact

  • Phishing: Redirect users to fake login pages to steal credentials
  • Session Hijacking: Redirect to attacker site that captures session cookies via JavaScript
  • Malware Distribution: Redirect to sites hosting malware or drive-by downloads
  • Reputation Damage: Users lose trust when redirected to malicious sites from legitimate application
  • Social Engineering: Use trusted Snipe-IT domain to increase phishing success rate

When the user clicks "Save", the application:

  1. Processes the form
  2. Checks redirect_option (if set to 'back')
  3. Calls Helper::getRedirectOption()
  4. Retrieves back_url from session: https://evil.com/phishing?target=snipeit
  5. Executes redirect()->to($backUrl)
  6. User is redirected to attacker's site

This would still require session poisoning, so the actual practical threat here is minimal.

Patches

Patched in https://github.com/grokability/snipe-it/commit/e37649212861a337e68a624e589c3540b7a82373, released in 8.4.1.

Workarounds

None.

Resources

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
  • OWASP: Unvalidated Redirects and Forwards
  • Laravel Security: Safe Redirects

snipeit_open_redirect_submission.md

AnalysisAI

Open redirect vulnerability in Snipe-IT versions prior to 8.4.1 allows authenticated attackers to redirect users to malicious sites by poisoning the session-stored HTTP Referer header, enabling phishing, session hijacking, and malware distribution attacks. Exploitation requires prior session poisoning and user interaction (clicking a form submission), limiting real-world practical impact despite moderate CVSS score of 5.9. Vendor-released patch available in version 8.4.1.

Technical ContextAI

Snipe-IT is a Laravel-based IT asset management application. The vulnerability exists in the redirect logic chain: when processing form submissions with redirect_option set to 'back', the application calls Helper::getRedirectOption() which retrieves an unvalidated back_url parameter from the user's session variable and passes it directly to Laravel's redirect()->to($backUrl) function without URL validation. This violates CWE-601 (URL Redirection to Untrusted Site) by failing to implement whitelist-based or domain-validation checks on redirect destinations. The root cause is trust in session-stored data without re-validation at redirect time, assuming the session layer itself provides sufficient security boundaries.

RemediationAI

Vendor-released patch: upgrade Snipe-IT to version 8.4.1 or later. The fix implements URL validation via the commit e37649212861a337e68a624e589c3540b7a82373 to sanitize redirect destinations before execution. No workarounds are documented by the vendor. As a temporary compensating control pending upgrade, administrators can disable or restrict access to form submission endpoints that trigger the redirect functionality, or implement network-level controls to monitor and block redirects to external domains by inspecting HTTP Location headers in responses. However, these controls degrade application functionality and should only be considered as temporary measures. Apply the patch at the earliest convenient maintenance window; this is not a critical patch given the exploitation prerequisites.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-31965 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy