GHSA-x7qq-m748-8p2c

Suggest an improvement
Source
https://github.com/advisories/GHSA-x7qq-m748-8p2c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-x7qq-m748-8p2c/GHSA-x7qq-m748-8p2c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-x7qq-m748-8p2c
Aliases
  • CVE-2026-49820
Published
2026-06-30T18:31:50Z
Modified
2026-06-30T18:45:31.991532276Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N CVSS Calculator
Summary
Probo has an open redirect bypass via path normalization
Details

Impact

Probo's saferedirect package validates redirect URLs used across authentication flows (OIDC, SAML, session transfer, OAuth connectors, and trust-center magic links). The validator only inspected the second character of relative paths, so a URL like /../\evil.com passed validation because the second character is .. Go's http.Redirect normalizes this path to /\evil.com before setting the Location header. Browsers can interpret the backslash as a host separator and redirect the user to an external domain (https://evil.com), bypassing the intended same-origin restriction. This enables open-redirect phishing: an attacker can craft a continue parameter (or embed a malicious URL in a session-transfer token) that appears to originate from a trusted Probo domain but redirects victims elsewhere.

Patches

Fixed in go.probo.inc/probo by normalizing relative paths with path.Clean before validation, rejecting backslashes (including percent-encoded %5c) anywhere in the path, and re-checking the normalized result for protocol-relative and backslash prefixes.

Self-hosted deployments should upgrade to probod v0.194.1 or later.

SaaS deployments on getprobo.com are patched.

Workarounds

No practical workaround for self-hosted installations. Upgrade to the patched release.

Database specific
{
    "github_reviewed_at": "2026-06-30T18:31:50Z",
    "nvd_published_at": null,
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-601"
    ],
    "severity": "MODERATE"
}
References

Affected packages

Go / go.probo.inc/probo

Package

Name
go.probo.inc/probo
View open source insights on deps.dev
Purl
pkg:golang/go.probo.inc/probo

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.204.0

Database specific

source
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-x7qq-m748-8p2c/GHSA-x7qq-m748-8p2c.json"