UBUNTU-CVE-2026-40295

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2026-40295
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40295.json
JSON Data
https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-40295
Upstream
  • CVE-2026-40295
Published
2026-05-22T20:16:00Z
Modified
2026-05-27T19:09:50Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • Ubuntu - medium
Summary
[none]
Details

Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirecturl method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attemptedpath) and Devise's own storelocationfor mechanism (which strips external hosts via extractpathfromlocation), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.actioncontroller.actiononopenredirect = :raise (and the older raiseonopenredirects setting) do not reach it. This issue has been fixed in version 5.0.4.

References

Affected packages

Ubuntu:16.04:LTS / ruby-devise

Package

Name
ruby-devise
Purl
pkg:deb/ubuntu/ruby-devise?arch=source&distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.5.1-1
3.5.2-1
3.5.2-2
3.5.2-3
3.5.6-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "ruby-devise",
            "binary_version": "3.5.6-2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40295.json"

Ubuntu:18.04:LTS / ruby-devise

Package

Name
ruby-devise
Purl
pkg:deb/ubuntu/ruby-devise?arch=source&distro=bionic

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.2.0-1
4.3.0-1
4.4.3-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "ruby-devise",
            "binary_version": "4.4.3-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40295.json"

Ubuntu:20.04:LTS / ruby-devise

Package

Name
ruby-devise
Purl
pkg:deb/ubuntu/ruby-devise?arch=source&distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.5.0-3
4.6.2-2
4.7.1-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "ruby-devise",
            "binary_version": "4.7.1-2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40295.json"

Ubuntu:22.04:LTS / ruby-devise

Package

Name
ruby-devise
Purl
pkg:deb/ubuntu/ruby-devise?arch=source&distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.7.3-2

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "ruby-devise",
            "binary_version": "4.7.3-2"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40295.json"

Ubuntu:24.04:LTS / ruby-devise

Package

Name
ruby-devise
Purl
pkg:deb/ubuntu/ruby-devise?arch=source&distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

4.*
4.8.1-1
4.9.2-1
4.9.3-1

Ecosystem specific 

{
    "binaries": [
        {
            "binary_name": "ruby-devise",
            "binary_version": "4.9.3-1"
        }
    ]
}

Database specific

source 
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-40295.json"