An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts.