CVE-2026-49826

LOWPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Concourse login flow has an open redirect issue

Impact

An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials.

Patches

This has been fixed in 8.2.3

Workarounds

None.

Exploit

Vulnerable code was in: https://github.com/concourse/concourse/blob/ea7b812e3a88fdd070f0faece874e8a2d4fbb31c/skymarshal/skyserver/skyserver.go#L162-L170

The issue stems from the underlying processing logic of Go's url package. Normally, ParseRequestURI() will eventually reach an internal url.setPath() function, where the URL will be decoded. However, if RawPath is not empty and validEncoded(RawPath) is true, and the decoded result equals Path, then return RawPath as is; otherwise, escape Path again, i.e., decode it again.

In other words, if the URL contains dangerous characters that should be escaped, such as backslashes (\), then an extra decoding step will be performed. Therefore, /%2Fexample.com will be parsed as //example.com.

On vulnerable versions of Concourse, add /sky/login?redirect_uri=/%252Fexample.com/\ to your Concourse external URL, login as usual, and you should be redirected to example.com instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.

CVSS v3
EG Score
0.0(none)
EPSS
KEV
Not listed

Published

July 1, 2026

Last Modified

July 1, 2026

Vendor Advisories for CVE-2026-49826(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 1× in last 7d / 1× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-01 19:02 UTCEG score recompute

Frequently asked(3)

What is CVE-2026-49826?
CVE-2026-49826 is a low vulnerability published on July 1, 2026. Concourse login flow has an open redirect issue Impact An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials. Patches This has been fixed in 8.2.3…
When was CVE-2026-49826 disclosed?
CVE-2026-49826 was first published in the National Vulnerability Database on July 1, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
How do I remediate CVE-2026-49826?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-49826, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-49826

Explore →

Is Your Infrastructure Affected by CVE-2026-49826?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.