CVE-2026-35410

CVSS v3.1

6.1

Medium

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

An open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication.

Details

A parser differential exists between the server-side URL validation logic and how modern browsers interpret URL path segments containing backslashes. Specifically, certain URL patterns are incorrectly classified as safe relative paths by the server, but are normalized by browsers into external domain references.

This is particularly impactful in SSO authentication flows (e.g., OAuth2 providers), where an attacker can craft a login URL that redirects the victim to an attacker-controlled site immediately after successful authentication, without any visible indication during the login process.

Impact

Phishing: Users may be silently redirected to attacker-controlled sites impersonating legitimate services after authenticating.
Credential/token theft: The redirect can be chained to capture OAuth tokens or authorization codes.
Trust erosion: Users lose confidence in the application after being redirected to unexpected domains post-login.

Fix

Open Redirect

Incomplete List of Disallowed Inputs

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-601CWE-184CWE-20

Related Identifiers

CVE-2026-35410

GHSA-CF45-HXWJ-4CFJ

Affected Products

Directus

CVE-2026-35410

Summary

Details

Impact

Weakness Enumeration

Related Identifiers

Affected Products

References · 3