Description
GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.
Published: 2026-03-27
Score: 1.2 Low
EPSS: n/a
KEV: No
Impact: Phishing risk via malicious URLs
Action: Patch immediately
AI Analysis

Impact

GlobaLeaks whistleblowing software exploits inadequate validation on the /api/support endpoint, allowing attackers to embed arbitrary URLs into support requests that are automatically forwarded to administrators via email. Because the emails are sent to privileged users, an attacker could direct them to malicious sites, creating a phishing vector that may compromise admin credentials or enable further attacks on the system. This issue maps to improper input validation.

Affected Systems

The vulnerability affects GlobaLeaks Whistleblowing Software versions prior to 5.0.89, where the support API accepts unchecked URLs in user requests. Only the pre‑5.0.89 releases are vulnerable; version 5.0.89 and later have been patched to enforce proper validation.

Risk and Exploitability

The CVSS base score of 1.2 indicates low severity, and the advisory notes that the vulnerability is not listed in CISA's KEV catalog. An attacker could exploit the flaw by submitting a crafted support request containing a malicious link, but success requires the administrator to open the email and click the link. While the probability of exploitation may be low without social engineering, the patch remains recommended to mitigate any potential phishing risk.

Generated by OpenCVE AI on March 27, 2026 at 15:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GlobaLeaks to version 5.0.89 or later.
  • Restrict access to the /api/support endpoint to trusted users only.
  • Monitor administrator inbox for unexpected URLs and apply email filtering rules to block or flag suspicious links.

Generated by OpenCVE AI on March 27, 2026 at 15:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 14:30:00 +0000

Type Values Removed Values Added
Description GlobaLeaks is free and open-source whistleblowing software. Prior to version 5.0.89, the /api/support endpoint of GlobaLeaks performs minimal validation on user-submitted support requests. As a result, arbitrary URLs can be included in support emails sent to administrators. Version 5.0.89 patches the issue.
Title GlobalLeaks has insufficient URL validation in user support API
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 1.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-27T19:33:52.223Z

Reserved: 2026-03-18T18:55:47.425Z

Link: CVE-2026-33284

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-27T15:16:54.643

Modified: 2026-03-27T15:16:54.643

Link: CVE-2026-33284

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:28:47Z

Weaknesses