PT-2026-54444 · Probod · Probod
Published
2026-06-30
·
Updated
2026-07-07
·
CVE-2026-49820
CVSS v3.1
4.7
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
probod versions prior to 0.194.1
Description
The
saferedirect package in go.probo.inc/probo fails to properly validate redirect URLs used in authentication flows, such as OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. The validator only checks the second character of relative paths, allowing URLs like /../evil.com to pass. Because Go's http.Redirect normalizes this path to /evil.com, browsers may interpret the backslash as a host separator and redirect the user to an external domain. This allows attackers to use the continue parameter or session-transfer tokens to perform open-redirect phishing by crafting URLs that appear to originate from a trusted domain.Recommendations
Upgrade to probod version 0.194.1 or later.
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Probod