CVE-2026-49456

LOWPre-NVD 3.13.1
EchelonGraph scoreLOW confidence

This low-severity CVE scores 3.1 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
3.1
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: CVSS: 3.1Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Waku has an Open Redirect via unstable_redirect Helper

Summary

The unstable_redirect() helper exported from waku/router/server (packages/waku/src/router/define-router.tsx:156–161) accepts an arbitrary string and reflects it unchanged into the HTTP Location response header with no URL validation, scheme restriction, or path-only enforcement. Any application that passes user-controlled input to this helper — the natural pattern documented in the JSDoc and official fixtures — is vulnerable to open redirect attacks. An attacker who convinces a victim to click a crafted link can silently redirect the browser to an arbitrary external domain, enabling phishing, credential harvesting, and OAuth token theft. Additionally, scheme-relative URLs (//evil.example/) bypass naive https?://-only allow-list filters that developers might add as ad-hoc mitigations.

Dynamic PoC confirmed against waku 1.0.0-beta.0 (commit 8e9f542) in an isolated Docker environment. Two independent dynamic runs produced identical results.


Root Cause

packages/waku/src/router/define-router.tsx:156–161:

export function unstable_redirect(
  location: string, // only URL pathname is supported.
  status: 303 | 307 | 308 = 307,
): never {
  throw createCustomError('Redirect', { status, location });
}

The JSDoc comment states "only URL pathname is supported", but this constraint is expressed as documentation only — the function performs no validation. The location value propagates via createCustomError (custom-errors.ts:22–26) into an error digest, is recovered by getErrorInfo in the request handler (handler.ts:79–89), and reflected directly into headers.location of the outgoing Response with no sanitization:

if (info?.location) {
  headers.location = info.location;   // handler.ts:87 — unvalidated reflection
}
return new Response(body, { status, headers });


Trigger (one-line summary)

Any developer-supplied user input passed to unstable_redirect() is reflected unchanged into the HTTP Location header, enabling navigation to an attacker-controlled domain.


Affected Entry Surfaces

  • unstable_redirect(location, status?)waku/router/server public export
  • Any page/route component that passes searchParams, query, or other user-
controlled strings to unstable_redirect (the standard post-login or callback redirect pattern)
  • All waku adapters (Node.js, Cloudflare Workers, Vercel Edge, Deno) share the same
handler.ts reflection path; cross-runtime CRLF parity is unaudited (see note below)


Additional Defense-in-Depth Concern

On Node.js, CRLF injection via the Location header is rejected by node:_http_outgoing.setHeader (ERR_INVALID_CHAR). This defense is platform-specific and not present in the waku source. Cloudflare Workers, Deno Deploy, and other edge runtimes have not been verified to offer equivalent protection. A cross-runtime audit is recommended.


Suggested Fix Outline

Validate the location argument inside unstable_redirect before the error is thrown: reject any value that does not begin with a single / (no //), and reject any value containing control characters (\x00\x1f). An opt-in allow-list for intentional cross-origin redirects can be provided via a framework configuration option.


Disclosure

| Field | Value | |------------------|------------------------------------| | Reporter | j0hndo ([email protected]) | | Discovery date | 2026-05-17 | | Embargo | 90 days from acknowledgment | | Patched version | Not yet available | | Public references| CWE-601; OWASP A01:2021 |

CVSS v3
3.1
EG Score
3.1(low)
EPSS
KEV
Not listed

Published

July 8, 2026

Last Modified

July 8, 2026

Vendor Advisories for CVE-2026-49456(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 2× in last 7d / 3× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-14 18:13 UTCEG score recompute
  2. 2026-07-11 19:29 UTCEG score recompute
  3. 2026-07-08 20:46 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-49456?
CVE-2026-49456 is a low vulnerability published on July 8, 2026. Waku has an Open Redirect via unstable_redirect Helper Summary The unstable_redirect() helper exported from waku/router/server (packages/waku/src/router/define-router.tsx:156–161) accepts an arbitrary string and reflects it unchanged into the HTTP Location response header with no URL validation,…
When was CVE-2026-49456 disclosed?
CVE-2026-49456 was first published in the National Vulnerability Database on July 8, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-49456?
CVE-2026-49456 has a CVSS v4.0 base score of 3.1 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-49456?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49456, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49456

Explore →

Is Your Infrastructure Affected by CVE-2026-49456?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.