GHSA-CF45-HXWJ-4CFJ

Vulnerability from github – Published: 2026-04-04 06:09 – Updated: 2026-04-07 14:19
VLAI?
Summary
Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow
Details

Summary

An open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication.

Details

A parser differential exists between the server-side URL validation logic and how modern browsers interpret URL path segments containing backslashes. Specifically, certain URL patterns are incorrectly classified as safe relative paths by the server, but are normalized by browsers into external domain references.

This is particularly impactful in SSO authentication flows (e.g., OAuth2 providers), where an attacker can craft a login URL that redirects the victim to an attacker-controlled site immediately after successful authentication, without any visible indication during the login process.

Impact

  • Phishing: Users may be silently redirected to attacker-controlled sites impersonating legitimate services after authenticating.
  • Credential/token theft: The redirect can be chained to capture OAuth tokens or authorization codes.
  • Trust erosion: Users lose confidence in the application after being redirected to unexpected domains post-login.
Severity ?
6.1 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "directus"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "11.16.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-35410"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-184",
      "CWE-20",
      "CWE-601"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-04T06:09:55Z",
    "nvd_published_at": "2026-04-06T22:16:22Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nAn open redirect vulnerability exists in the login redirection logic. The `isLoginRedirectAllowed` function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication.\n\n### Details\n\nA parser differential exists between the server-side URL validation logic and how modern browsers interpret URL path segments containing backslashes. Specifically, certain URL patterns are incorrectly classified as safe relative paths by the server, but are normalized by browsers into external domain references.\n\nThis is particularly impactful in SSO authentication flows (e.g., OAuth2 providers), where an attacker can craft a login URL that redirects the victim to an attacker-controlled site immediately after successful authentication, without any visible indication during the login process.\n\n### Impact\n\n- **Phishing:** Users may be silently redirected to attacker-controlled sites impersonating legitimate services after authenticating.\n- **Credential/token theft:** The redirect can be chained to capture OAuth tokens or authorization codes.\n- **Trust erosion:** Users lose confidence in the application after being redirected to unexpected domains post-login.",
  "id": "GHSA-cf45-hxwj-4cfj",
  "modified": "2026-04-07T14:19:59Z",
  "published": "2026-04-04T06:09:55Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/directus/directus/security/advisories/GHSA-cf45-hxwj-4cfj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35410"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/directus/directus"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Directus: Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.