CVE-2026-49820: Probo has an open redirect bypass via path normalization
Probo’s saferedirect package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the second character is .. Go’s http.Redirect normalizes this path to /\evil.com before setting the Location header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a continue parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.
References
Code Behaviors & Features
Detect and mitigate CVE-2026-49820 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →