CVE-2026-42565

Source
https://cve.org/CVERecord?id=CVE-2026-42565
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42565.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42565
Aliases
Published
2026-05-11T19:01:28.340Z
Modified
2026-07-08T08:13:32.912079692Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
@workos/authkit-session: Open Redirect via state-derived redirect target
Details

@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The handleCallback function decodes and returns returnPathname without enforcing restrictions on origin or scheme. As a result, attacker-controlled values may be returned to the application. If this value is used directly in a redirect, it may cause the user to be redirected to an external, attacker-controlled site. This vulnerability is fixed in 0.5.1.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-601"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42565.json"
}
References

Affected packages

Git / github.com/workos/authkit-session

Affected ranges

Type
GIT
Repo
https://github.com/workos/authkit-session
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "0.5.1"
        }
    ]
}

Affected versions

v0.*
v0.0.1-alpha.0
v0.0.1-alpha.2
v0.0.1-alpha.3
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.2.0
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.4.0
v0.5.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42565.json"