Severity by source
AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website.
AnalysisAI
Open redirect in SolarWinds Observability Self-Hosted enables an authenticated low-privilege attacker on an adjacent network segment to supply a crafted external URL that redirects application traffic or users to an attacker-controlled site. The CVSS vector assigns High confidentiality impact (C:H) despite a medium overall score of 4.8, suggesting the redirect may expose sensitive data - such as session tokens or credentials - to the attacker-controlled destination, rather than being a simple phishing-only vector. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis. SolarWinds has released a patch in the HCO 2026.2 release.
Technical ContextAI
CWE-601 (URL Redirection to Untrusted Site / Open Redirect) occurs when an application accepts user-controlled input to construct a redirect URL without sufficiently validating that the destination is trusted or internal. In the context of SolarWinds Observability Self-Hosted - an on-premises monitoring platform based on the Orion Platform - this likely manifests in a UI or API endpoint that accepts an external URL parameter (e.g., a return-to or callback URL) and redirects without allowlist enforcement. The CPE string cpe:2.3:a:solarwinds:observability_self-hosted:*:*:*:*:*:*:*:* with a wildcard version field indicates all current self-hosted versions are in scope. The CVSS Adjacent vector (AV:A) is consistent with Observability Self-Hosted being a network-internal monitoring tool not typically exposed directly to the internet.
RemediationAI
The primary fix is to upgrade SolarWinds Observability Self-Hosted to the HCO 2026.2 release, as documented in the release notes at https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2026-2_release_notes.htm. The SolarWinds security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28301 should be reviewed for any additional guidance. Prior to patching, organizations can consult the SolarWinds secure configuration guide (https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm) to harden the deployment - specifically reviewing URL allowlisting and external integration settings. As a compensating control, network-level access controls restricting which users or systems can reach the Observability Self-Hosted web interface from adjacent segments will reduce the exposed attack surface, since AV:A already limits exposure to network-adjacent actors. Restricting low-privilege account access to only necessary platform features limits the set of authenticated users who could trigger the redirect. Note: version-specific patch confirmation is inferred from the HCO 2026-2 release notes reference but the exact patched release string was not independently confirmed in available intelligence.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-35451
GHSA-v3jw-x4g9-2mmm