CVE-2026-28413 identifies an open redirect vulnerability (CWE-601) in the Products.isurlinportal module of the Plone content management system. This module replaces the isURLInPortal method and is responsible for validating URLs within the portal context. Prior to versions 2.1.0, 3.1.0, and 4.0.0, the component fails to properly validate the 'came_from' URL parameter, allowing attackers to craft URLs such as '/login?came_from=////evil.example' that redirect users to external, potentially malicious websites after login. This behavior can be exploited to facilitate phishing attacks by redirecting users to attacker-controlled domains while appearing to originate from a trusted Plone portal. The vulnerability requires no authentication or user interaction beyond clicking a malicious link, making it relatively easy to exploit. However, the impact is limited to confidentiality as it does not affect data integrity or system availability. The vulnerability has been addressed in the specified patched versions, which enforce stricter validation of redirect URLs to ensure they remain within the trusted portal domain. No known exploits have been reported in the wild as of the publication date. The CVSS v3.1 base score is 5.3, reflecting a medium severity level due to the ease of exploitation but limited impact scope.

The primary impact of CVE-2026-28413 is on user confidentiality and trust. By enabling open redirects, attackers can craft URLs that appear to originate from a legitimate Plone portal but redirect users to malicious external sites. This can facilitate phishing campaigns, credential theft, and distribution of malware. Organizations relying on affected Plone versions may see increased phishing risks targeting their users, potentially leading to compromised credentials or unauthorized access to sensitive systems. While the vulnerability does not directly compromise system integrity or availability, the indirect consequences of successful phishing attacks can be severe, including data breaches and reputational damage. The ease of exploitation without authentication or user interaction beyond clicking a link broadens the attack surface. However, the absence of known active exploits reduces immediate risk. Organizations with public-facing Plone portals, especially those in sectors like government, education, and healthcare, are particularly vulnerable due to the value of their user bases and the trust placed in their domains.

To mitigate CVE-2026-28413, organizations should promptly upgrade affected Plone Products.isurlinportal components to versions 2.1.0, 3.1.0, or 4.0.0 or later, where the open redirect flaw has been patched. In addition to patching, administrators should audit URL redirect handling configurations to ensure that only trusted internal URLs are allowed for redirection. Implement strict input validation and sanitization on all URL parameters related to redirection, enforcing whitelist policies that restrict redirects to known safe domains within the portal. Employ web application firewalls (WAFs) with rules designed to detect and block open redirect attempts targeting the 'came_from' parameter. User education campaigns to raise awareness about phishing risks and suspicious URLs can reduce the likelihood of successful exploitation. Monitoring logs for unusual redirect patterns or spikes in login redirection requests can help detect exploitation attempts early. Finally, consider implementing multi-factor authentication (MFA) to reduce the impact of credential theft resulting from phishing facilitated by this vulnerability.