AFFiNE is an open-source all-in-one workspace and operating system designed to integrate various productivity tools. Prior to version 0.26.0, AFFiNE contained an Open Redirect vulnerability (CVE-2026-25477) located specifically at the /redirect-proxy endpoint. The root cause is an improperly anchored regular expression used in domain validation logic. This flaw allows attackers to craft URLs with malicious domains that end with a trusted domain string, thereby bypassing the whitelist intended to restrict redirects to trusted sites only. For example, if the trusted domain is example.com, an attacker could use a domain like malicious-example.com that passes the flawed regex check. When a user clicks such a crafted URL, they are redirected to the attacker-controlled site, potentially exposing them to phishing, malware, or other social engineering attacks. The vulnerability requires no authentication but does require user interaction to trigger the redirect. The issue was publicly disclosed and patched in AFFiNE version 0.26.0. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, but no impact on integrity or availability. No known exploits have been reported in the wild as of the publication date. This vulnerability highlights the risks of improper input validation in redirect mechanisms and the importance of strict domain validation to prevent open redirect attacks.

The primary impact of this vulnerability is the facilitation of phishing and social engineering attacks. Attackers can exploit the open redirect to trick users into visiting malicious websites that appear to be trusted, potentially leading to credential theft, malware infection, or further exploitation. Although the vulnerability does not directly compromise system integrity or availability, it undermines user trust and can serve as a stepping stone for more complex attacks. Organizations using AFFiNE versions prior to 0.26.0 are at risk of users being redirected to attacker-controlled sites, especially if users are not trained to recognize suspicious URLs. The medium CVSS score reflects the moderate risk due to the need for user interaction and the absence of direct system compromise. However, the widespread use of AFFiNE in collaborative environments could amplify the impact if attackers leverage this vulnerability in targeted campaigns. The lack of known exploits in the wild suggests limited current exploitation but does not preclude future attacks.

The most effective mitigation is to upgrade AFFiNE to version 0.26.0 or later, where the vulnerability has been patched. Organizations should enforce strict URL validation and avoid relying solely on regular expressions for domain whitelisting; instead, use exact domain matching or well-tested libraries for URL parsing and validation. Additionally, implement user awareness training to recognize suspicious redirects and phishing attempts. Monitoring and logging redirect-proxy endpoint usage can help detect anomalous redirect patterns. If upgrading is not immediately possible, consider implementing web application firewall (WAF) rules to block suspicious redirect URLs or domains that mimic trusted domains. Finally, review and minimize the use of open redirect endpoints in applications to reduce attack surface.