Description
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.
Published: 2026-03-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side code execution via XSS
Action: Patch
AI Analysis

Impact

An attacker can craft a malicious link that sets the callbackUrl query parameter to an arbitrary value. Ory Polis blindly trusts this value and passes it to the client‑side router, which results in a redirect and execution of any JavaScript contained in the URL. This DOM‑based Cross‑Site Scripting exploits improper handling of parameters (CWE‑87) and an open redirect flaw (CWE‑601). When this code runs in the victim’s browser it can steal credentials, pivot within the internal network, or perform unauthorized actions on behalf of the user.

Affected Systems

All releases of the Ory Polis identity‑and‑access‑management service before version 26.2.0 are affected. The vulnerability exists in the login component where the callbackUrl parameter is processed. Systems running 26.2.0 or later contain the patch that validates or sanitises the callbackUrl value.

Risk and Exploitability

The flaw carries a high CVSS base score of 8.8, indicating a serious client‑side risk. Because the exploit occurs only in the user’s browser and requires the user to click a malicious link, no EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, credential theft and lateral movement make it a significant concern. The likely attack vector is a phishing or social‑engineering campaign that delivers a crafted URL to an authenticated or soon‑to‑be authenticated user.

Generated by OpenCVE AI on March 26, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Ory Polis to version 26.2.0 or later
  • Verify that callbackUrl values are properly validated or sanitized before being used in router.push

Generated by OpenCVE AI on March 26, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:ory:polis:*:*:*:*:*:*:*:*

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Ory
Ory polis
Vendors & Products Ory
Ory polis

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Description Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.
Title DOM-Based XSS in Ory Polis Login Page
Weaknesses CWE-601
CWE-87
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L'}

Subscriptions

Ory Polis
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:10.429Z

Reserved: 2026-03-20T16:59:08.888Z

Link: CVE-2026-33506

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:30.733Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T19:17:05.680

Modified: 2026-04-17T19:45:30.170

Link: CVE-2026-33506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:25:43Z

Weaknesses