CVE-2026-42195

CVSS v3.1

3.4

Low

Vector

AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions draw.io versions prior to 29.7.9

Description The application accepts a gitlab URL parameter that overrides the GitLab server URL used during OAuth sign-in. An attacker can use a crafted link to cause the "Authorize in GitLab" dialog to open a popup on a host under their control instead of the legitimate gitlab.com. This behavior can lead to credential fishing and the exfiltration of session state tokens.

Recommendations Update to version 29.7.9.

Fix

Information Disclosure

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-601

Related Identifiers

CVE-2026-42195

Affected Products

Drawio

CVE-2026-42195

Weakness Enumeration

Related Identifiers

Affected Products

References · 5