Description
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0.
Published: 2026-03-02
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect via Regex Bypass
Action: Apply Patch
AI Analysis

Impact

A flaw in the domain validation logic of the /redirect-proxy endpoint lets an attacker craft a URL that bypasses the whitelist by appending a malicious domain to a trusted suffix. The bypass occurs because the Regular Expression anchoring is insufficient, allowing the attacker to redirect users to arbitrary external sites. This can be exploited to facilitate phishing or drive traffic to malicious domains, compromising user trust and potentially enabling social engineering attacks. The weakness is classified as CWE‑601, an open redirect vulnerability.

Affected Systems

This issue affects the open-source workspace platform AffiNE from the toeverything vendor. Versions prior to 0.26.0 are vulnerable; the fix is included in 0.26.0 and later releases. Systems using the system’s redirect-proxy feature are at risk.

Risk and Exploitability

The CVSS score of 6.9 reflects moderate severity. However, the EPSS score of less than 1% indicates that exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. The typical attack vector would be through a crafted URL, so users or attackers could supply malicious links that appear legitimate. While the risk to system integrity is low, the impact on user trust and potential for phishing remains significant.

Generated by OpenCVE AI on April 16, 2026 at 14:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AffiNE to version 0.26.0 or later to receive the patched Redirect‑Proxy logic.
  • If upgrading is not immediately possible, disable or block access to the /redirect-proxy endpoint until a patch can be applied.
  • Configure a Web Application Firewall or reverse proxy rule to reject URLs that attempt to bypass the whitelist by using suffix matching against trusted domains.
  • Educate users to be wary of unexpected redirects, particularly from links that terminate in known company domains.

Generated by OpenCVE AI on April 16, 2026 at 14:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Affine
Affine affine
CPEs cpe:2.3:a:affine:affine:*:*:*:*:-:*:*:*
Vendors & Products Affine
Affine affine
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Toeverything
Toeverything affine
Vendors & Products Toeverything
Toeverything affine

Mon, 02 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0.
Title AFFiNE: Open Redirect via Regex Bypass in redirect-proxy
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Affine Affine
Toeverything Affine
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-02T20:30:32.614Z

Reserved: 2026-02-02T16:31:35.820Z

Link: CVE-2026-25477

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-03-02T20:16:26.407

Modified: 2026-04-10T14:28:39.173

Link: CVE-2026-25477

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:30:16Z

Weaknesses