Description
Redash is a package for data visualization and sharing. From 5.0.2 to 26.3.0, the get_next_path() function in Redash's authentication module stripped the scheme and netloc from user-supplied next parameters but did not normalize multiple leading slashes, allowing a crafted login URL such as /login?next=////evil.com to redirect users to an external attacker-controlled site after authentication.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Redash is a package for data visualization and sharing. From 5.0.2 to 26.3.0, the get_next_path() function in Redash's authentication module stripped the scheme and netloc from user-supplied next parameters but did not normalize multiple leading slashes, allowing a crafted login URL such as /login?next=////evil.com to redirect users to an external attacker-controlled site after authentication. | |
| Title | Redash: Open redirect vulnerability in post-login redirect handling | |
| Weaknesses | CWE-601 | |
| References |
| |
| Metrics |
cvssV3_1
|
Subscriptions
No data.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T17:49:38.917Z
Reserved: 2026-03-17T23:23:58.313Z
Link: CVE-2026-33213
Updated: 2026-07-15T17:49:33.829Z
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')