CVE-2026-13543

Source
https://cve.org/CVERecord?id=CVE-2026-13543
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13543.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-13543
Published
2026-06-29T06:30:08.682Z
Modified
2026-07-15T01:49:13.423952238Z
Severity
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
Documenso Google OAuth Login handle-oauth-callback-url.ts improper authentication
Details

A vulnerability was detected in Documenso up to 2.11.0. Affected by this vulnerability is an unknown functionality of the file packages/auth/server/lib/utils/handle-oauth-callback-url.ts of the component Google OAuth Login. The manipulation results in improper authentication. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.

Database specific
{
    "cna_assigner": "VulDB",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/13xxx/CVE-2026-13543.json",
    "cwe_ids": [
        "CWE-287"
    ]
}
References

Affected packages

Git / github.com/documenso/documenso

Affected ranges

Type
GIT
Repo
https://github.com/documenso/documenso
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "2.0"
        },
        {
            "last_affected": "2.0"
        },
        {
            "introduced": "2.1"
        },
        {
            "last_affected": "2.1"
        },
        {
            "introduced": "2.2"
        },
        {
            "last_affected": "2.2"
        },
        {
            "introduced": "2.3"
        },
        {
            "last_affected": "2.3"
        },
        {
            "introduced": "2.4"
        },
        {
            "last_affected": "2.4"
        },
        {
            "introduced": "2.5"
        },
        {
            "last_affected": "2.5"
        },
        {
            "introduced": "2.6"
        },
        {
            "last_affected": "2.6"
        },
        {
            "introduced": "2.7"
        },
        {
            "last_affected": "2.7"
        },
        {
            "introduced": "2.8"
        },
        {
            "last_affected": "2.8"
        },
        {
            "introduced": "2.9"
        },
        {
            "last_affected": "2.9"
        },
        {
            "introduced": "2.10"
        },
        {
            "last_affected": "2.10"
        },
        {
            "introduced": "2.11.0"
        },
        {
            "last_affected": "2.11.0"
        }
    ]
}

Affected versions

2.*
2.0
2.1
2.10
2.11.0
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.11
v2.0.12
v2.0.13
v2.0.14
v2.0.2
v2.0.3
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.8
v2.0.9
v2.1.0
v2.10.0
v2.10.1
v2.11.0
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.2.4
v2.2.5
v2.2.6
v2.2.7
v2.2.8
v2.3.0
v2.3.1
v2.3.2
v2.4.0
v2.5.0
v2.5.1
v2.6.0
v2.6.1
v2.7.0
v2.7.1
v2.8.0
v2.8.1
v2.9.0
v2.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-13543.json"