Advisory Database
  • Advisories
  • Dependency Scanning
  1. golang
  2. ›
  3. go.probo.inc/probo
  4. ›
  5. CVE-2026-49820

CVE-2026-49820: Probo has an open redirect bypass via path normalization

June 30, 2026

Probo’s saferedirect package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the second character is .. Go’s http.Redirect normalizes this path to /\evil.com before setting the Location header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a continue parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.

References

  • github.com/advisories/GHSA-x7qq-m748-8p2c
  • github.com/getprobo/probo/blob/main/SECURITY_NOTES.md
  • github.com/getprobo/probo/security/advisories/GHSA-x7qq-m748-8p2c
  • nvd.nist.gov/vuln/detail/CVE-2026-49820

Code Behaviors & Features

Detect and mitigate CVE-2026-49820 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.204.0

Fixed versions

  • 0.204.0

Solution

Upgrade to version 0.204.0 or above.

Impact 4.7 MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Source file

go/go.probo.inc/probo/CVE-2026-49820.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Thu, 02 Jul 2026 12:23:51 +0000.