Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

GHSA-h29v-hj44-q8cv: Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL

0
Critical
Published: 07/10/2026 (07/10/2026, 19:25:15 UTC)
Source: GCVE Database
Product: github.com/authorizerdev/authorizer

Description

The /authorize endpoint in github.com/authorizerdev/authorizer does not validate the redirect_uri parameter against allowed origins. When response_type=token or id_token, the server appends OAuth2 tokens as query parameters and redirects to the attacker-controlled URL. An unauthenticated attacker can obtain the client_id publicly and craft malicious URLs to steal victim tokens via automatic browser redirects. This allows token theft without additional user interaction.

CVSS v3.1

Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Affected software

Goghsa
github.com/authorizerdev/authorizer
Affected versions
<0.0.0-20260409051328-bd3f5baf6d3d

Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/11/2026, 09:51:05 UTC

Technical Analysis

The vulnerability in github.com/authorizerdev/authorizer's /authorize endpoint arises because it accepts any redirect_uri without validating it against the configured AllowedOrigins. When the response_type is token or id_token, the server includes access_token, id_token, and refresh_token in the redirect URL query parameters and issues a 302 redirect to the supplied redirect_uri. An attacker can obtain the client_id from a public GraphQL endpoint and craft a malicious URL that, when visited by a logged-in user, causes the tokens to be sent to an attacker-controlled URL. A partial fix was applied in version 2.0.1 to other OAuth handlers but not to /authorize. The proposed fix is to add an origin validation check similar to other handlers to reject unauthorized redirect_uris.

Potential Impact

An attacker who convinces a logged-in user to visit a crafted URL can steal the victim's OAuth2 tokens (access_token, id_token, refresh_token). With these tokens, the attacker can impersonate the victim for the full token lifetime. No additional user interaction beyond clicking the link is required, as the victim's browser automatically follows the redirect containing the tokens. This leads to a critical compromise of user accounts and session integrity.

Mitigation Recommendations

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The proposed fix is to implement validation of the redirect_uri parameter against the configured AllowedOrigins in the /authorize endpoint, rejecting requests with unauthorized redirect_uris. This matches the partial fix applied in version 2.0.1 to other OAuth handlers. Until a patch is available, avoid exposing the /authorize endpoint or restrict usage to trusted clients only.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Gcve Source
db.gcve.eu
Osv Id
GHSA-h29v-hj44-q8cv
Osv Schema Version
1.4.0
Aliases
["CVE-2026-54072"]
Ecosystems
["Go"]
Database Specific Severity
CRITICAL
Cvss Version
3.1

Threat ID: 6a520eb668715ace438f52fe

Added to database: 07/11/2026, 09:36:54 UTC

Last enriched: 07/11/2026, 09:51:05 UTC

Last updated: 07/11/2026, 10:47:04 UTC

Views: 5

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses