Description
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.
Published: 2026-05-08
Score: 3.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

draw.io accepts a ?gitlab= URL parameter that can override the GitLab server URL used during OAuth sign-in. An attacker can embed a crafted link so that a user’s click on the "Authorize in GitLab" dialog opens a popup on the attacker‑controlled host instead of gitlab.com. This redirect allows the attacker to perform credential phishing and to exfiltrate the OAuth session state token. The weakness is a misuse of the GitLab URL parameter (CWE‑601) coupled with the disclosure of sensitive information (CWE‑200).

Affected Systems

jgraph draw.io versions prior to 29.7.9 are affected. Version 29.7.9 and later include a fix that prevents the parameter from redirecting to an arbitrary host.

Risk and Exploitability

The CVSS score of 3.4 indicates low severity. No EPSS score is available and the vulnerability is not listed in CISA KEV. The attack requires a user to click a crafted link and then authorize in GitLab, so the attack vector is web-based user interaction. Success does not grant arbitrary code execution or system compromise; it primarily enables phishing of credentials and session tokens.

Generated by OpenCVE AI on May 8, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to draw.io version 29.7.9 or later
  • If an upgrade cannot be performed immediately, modify the application configuration to disallow or sanitize the ?gitlab URL parameter so that only the default GitLab host is used
  • Verify that the parameter is no longer accepted by testing with a malicious host URL before exposing the system to users

Generated by OpenCVE AI on May 8, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Jgraph
Jgraph drawio
Vendors & Products Jgraph
Jgraph drawio

Fri, 08 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.
Title Unvalidated gitlab URL parameter redirects OAuth authorize step to attacker-controlled host
Weaknesses CWE-200
CWE-601
References
Metrics cvssV3_1

{'score': 3.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N'}

Subscriptions

Jgraph Drawio
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:22:40.678Z

Reserved: 2026-04-25T01:53:21.584Z

Link: CVE-2026-42195

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T22:16:31.410

Modified: 2026-05-08T22:16:31.410

Link: CVE-2026-42195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T23:45:20Z

Weaknesses