PT-2026-54444 · Probod · Probod

Published

2026-06-30

·

Updated

2026-07-07

·

CVE-2026-49820

CVSS v3.1

4.7

Medium

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions probod versions prior to 0.194.1
Description The saferedirect package in go.probo.inc/probo fails to properly validate redirect URLs used in authentication flows, such as OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links. The validator only checks the second character of relative paths, allowing URLs like /../evil.com to pass. Because Go's http.Redirect normalizes this path to /evil.com, browsers may interpret the backslash as a host separator and redirect the user to an external domain. This allows attackers to use the continue parameter or session-transfer tokens to perform open-redirect phishing by crafting URLs that appear to originate from a trusted domain.
Recommendations Upgrade to probod version 0.194.1 or later.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49820
GHSA-X7QQ-M748-8P2C
GO-2026-5861

Affected Products

Probod