Skip to main content

SolarWinds Observability Self-Hosted EUVDEUVD-2026-35451

| CVE-2026-28301 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-06-09 SolarWinds GHSA-v3jw-x4g9-2mmm
4.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 09, 2026 - 16:46 vuln.today

DescriptionCVE.org

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website.

AnalysisAI

Open redirect in SolarWinds Observability Self-Hosted enables an authenticated low-privilege attacker on an adjacent network segment to supply a crafted external URL that redirects application traffic or users to an attacker-controlled site. The CVSS vector assigns High confidentiality impact (C:H) despite a medium overall score of 4.8, suggesting the redirect may expose sensitive data - such as session tokens or credentials - to the attacker-controlled destination, rather than being a simple phishing-only vector. No public exploit code exists and the vulnerability is not listed in the CISA KEV catalog at time of analysis. SolarWinds has released a patch in the HCO 2026.2 release.

Technical ContextAI

CWE-601 (URL Redirection to Untrusted Site / Open Redirect) occurs when an application accepts user-controlled input to construct a redirect URL without sufficiently validating that the destination is trusted or internal. In the context of SolarWinds Observability Self-Hosted - an on-premises monitoring platform based on the Orion Platform - this likely manifests in a UI or API endpoint that accepts an external URL parameter (e.g., a return-to or callback URL) and redirects without allowlist enforcement. The CPE string cpe:2.3:a:solarwinds:observability_self-hosted:*:*:*:*:*:*:*:* with a wildcard version field indicates all current self-hosted versions are in scope. The CVSS Adjacent vector (AV:A) is consistent with Observability Self-Hosted being a network-internal monitoring tool not typically exposed directly to the internet.

RemediationAI

The primary fix is to upgrade SolarWinds Observability Self-Hosted to the HCO 2026.2 release, as documented in the release notes at https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2026-2_release_notes.htm. The SolarWinds security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2026-28301 should be reviewed for any additional guidance. Prior to patching, organizations can consult the SolarWinds secure configuration guide (https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm) to harden the deployment - specifically reviewing URL allowlisting and external integration settings. As a compensating control, network-level access controls restricting which users or systems can reach the Observability Self-Hosted web interface from adjacent segments will reduce the exposed attack surface, since AV:A already limits exposure to network-adjacent actors. Restricting low-privilege account access to only necessary platform features limits the set of authenticated users who could trigger the redirect. Note: version-specific patch confirmation is inferred from the HCO 2026-2 release notes reference but the exact patched release string was not independently confirmed in available intelligence.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

EUVD-2026-35451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy