PT-2026-55209 · Concourse · Concourse

Published

2026-07-01

·

Updated

2026-07-07

·

CVE-2026-49826

CVSS v4.0

0.0

None

VectorAV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions Concourse versions prior to 8.2.3
Description An open redirect issue exists in the login flow. An attacker can craft a URL that redirects users from the Concourse web server to an external site, which could be utilized in phishing attacks to steal credentials. The issue occurs because of how the Go url package processes the redirect uri parameter in the /sky/login endpoint. Specifically, if the URL contains characters that require escaping, such as backslashes, an extra decoding step is performed, allowing a path like /%252Fexample.com/ to be parsed as //example.com.
Recommendations Update to version 8.2.3.

Fix

Open Redirect

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-49826
GHSA-8W27-C4VC-88Q9
GO-2026-5866

Affected Products

Concourse