GHSA-h29v-hj44-q8cv: Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL
The /authorize endpoint in github.com/authorizerdev/authorizer does not validate the redirect_uri parameter against allowed origins. When response_type=token or id_token, the server appends OAuth2 tokens as query parameters and redirects to the attacker-controlled URL. An unauthenticated attacker can obtain the client_id publicly and craft malicious URLs to steal victim tokens via automatic browser redirects. This allows token theft without additional user interaction.
AI Analysis
Technical Summary
The vulnerability in github.com/authorizerdev/authorizer's /authorize endpoint arises because it accepts any redirect_uri without validating it against the configured AllowedOrigins. When the response_type is token or id_token, the server includes access_token, id_token, and refresh_token in the redirect URL query parameters and issues a 302 redirect to the supplied redirect_uri. An attacker can obtain the client_id from a public GraphQL endpoint and craft a malicious URL that, when visited by a logged-in user, causes the tokens to be sent to an attacker-controlled URL. A partial fix was applied in version 2.0.1 to other OAuth handlers but not to /authorize. The proposed fix is to add an origin validation check similar to other handlers to reject unauthorized redirect_uris.
Potential Impact
An attacker who convinces a logged-in user to visit a crafted URL can steal the victim's OAuth2 tokens (access_token, id_token, refresh_token). With these tokens, the attacker can impersonate the victim for the full token lifetime. No additional user interaction beyond clicking the link is required, as the victim's browser automatically follows the redirect containing the tokens. This leads to a critical compromise of user accounts and session integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The proposed fix is to implement validation of the redirect_uri parameter against the configured AllowedOrigins in the /authorize endpoint, rejecting requests with unauthorized redirect_uris. This matches the partial fix applied in version 2.0.1 to other OAuth handlers. Until a patch is available, avoid exposing the /authorize endpoint or restrict usage to trusted clients only.
GHSA-h29v-hj44-q8cv: Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL
Description
The /authorize endpoint in github.com/authorizerdev/authorizer does not validate the redirect_uri parameter against allowed origins. When response_type=token or id_token, the server appends OAuth2 tokens as query parameters and redirects to the attacker-controlled URL. An unauthenticated attacker can obtain the client_id publicly and craft malicious URLs to steal victim tokens via automatic browser redirects. This allows token theft without additional user interaction.
CVSS v3.1
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in github.com/authorizerdev/authorizer's /authorize endpoint arises because it accepts any redirect_uri without validating it against the configured AllowedOrigins. When the response_type is token or id_token, the server includes access_token, id_token, and refresh_token in the redirect URL query parameters and issues a 302 redirect to the supplied redirect_uri. An attacker can obtain the client_id from a public GraphQL endpoint and craft a malicious URL that, when visited by a logged-in user, causes the tokens to be sent to an attacker-controlled URL. A partial fix was applied in version 2.0.1 to other OAuth handlers but not to /authorize. The proposed fix is to add an origin validation check similar to other handlers to reject unauthorized redirect_uris.
Potential Impact
An attacker who convinces a logged-in user to visit a crafted URL can steal the victim's OAuth2 tokens (access_token, id_token, refresh_token). With these tokens, the attacker can impersonate the victim for the full token lifetime. No additional user interaction beyond clicking the link is required, as the victim's browser automatically follows the redirect containing the tokens. This leads to a critical compromise of user accounts and session integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The proposed fix is to implement validation of the redirect_uri parameter against the configured AllowedOrigins in the /authorize endpoint, rejecting requests with unauthorized redirect_uris. This matches the partial fix applied in version 2.0.1 to other OAuth handlers. Until a patch is available, avoid exposing the /authorize endpoint or restrict usage to trusted clients only.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-h29v-hj44-q8cv
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-54072"]
- Ecosystems
- ["Go"]
- Database Specific Severity
- CRITICAL
- Cvss Version
- 3.1
Threat ID: 6a520eb668715ace438f52fe
Added to database: 07/11/2026, 09:36:54 UTC
Last enriched: 07/11/2026, 09:51:05 UTC
Last updated: 07/11/2026, 10:47:04 UTC
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.