Description
Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.
Published: 2026-06-17
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can craft a malicious X-Forwarded-Host header that causes the Password Manager to compose redirect URLs that point to attacker-controlled sites. The flaw, identified as CWE‑601, can lead to authenticated users being redirected to phishing or malicious domains during login or normal interface interactions, potentially enabling credential theft or other social engineering attacks. While the vulnerability does not directly compromise application data confidentiality or integrity, it creates a moderate risk by enabling deceptive URLs and undermining user trust.

Affected Systems

All instances of Password Manager from the Password Manager brand are affected. Any release before the August 7 2025 patch (build identifier 08_07_2025) contains the vulnerable header handling and must be upgraded to the patched build or newer.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog, suggesting no widely known exploitation yet. An attacker can exploit the flaw by sending an HTTP request with a manipulated X-Forwarded-Host header to a target system that blindly trusts this header to generate redirect URLs, requiring only an authenticated session or the ability to influence the header during login or subsequent navigation.

Generated by OpenCVE AI on June 18, 2026 at 13:58 UTC.

Remediation

Vendor Solution

The vulnearbility has been fixed by the Password Manager team on 08/07/2025. It is recommend to update to the latest available version.


OpenCVE Recommended Actions

  • Apply the Password Manager patch corresponding to the 08_07_2025 build or any later release that removes the untrusted header processing.
  • Configure the application to ignore or sanitize the X-Forwarded-Host header unless it originates from a verified, trusted proxy server.
  • Implement a web application firewall rule to reject requests containing suspicious or malformed X-Forwarded-Host headers.

Generated by OpenCVE AI on June 18, 2026 at 13:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
Description Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.
Title Open redirection vulnerability in Password Manager
First Time appeared Password Manager
Password Manager password Manager
Weaknesses CWE-601
CPEs cpe:2.3:a:password_manager:password_manager:*:*:*:*:*:*:*:*
cpe:2.3:a:password_manager:password_manager:08_07_2025:*:*:*:*:*:*:*
Vendors & Products Password Manager
Password Manager password Manager
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}


Subscriptions

Password Manager Password Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-06-17T14:57:50.529Z

Reserved: 2026-06-04T11:17:20.822Z

Link: CVE-2026-10839

cve-icon Vulnrichment

Updated: 2026-06-17T14:57:46.275Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:00:16Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')