Description
Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.
Published: 2026-05-07
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Saltcorn is an open source no‑code database builder. In versions prior to 1.4.6, 1.5.6, and 1.6.0‑beta.5 the application incorrectly validates the `dest` parameter after a login attempt, allowing a string that contains a backslash to be treated as a relative URL. Browsers normalise that backslash to a forward slash, so the destination is emitted unchanged in the HTTP Location header, causing the browser to navigate to a domain controlled by the attacker. This produces a classic open‑redirect flaw that can be used with phishing or social‑engineering attacks.

Affected Systems

The vulnerability affects all default Saltcorn installations using the vulnerable releases. Vulnerable versions include any release earlier than 1.4.6 for the 1.4 series, earlier than 1.5.6 for the 1.5 series, and earlier than 1.6.0‑beta.5 for the 1.6 series. No explicit workaround is listed; the issue is fixed in the aforementioned patched releases.

Risk and Exploitability

The CVSS score of 5.1 classifies the flaw as medium severity. The EPSS score is not available, and it is not listed in the CISA KEV catalog. Based on the description, it is inferred that the issue can be exploited from the public web interface; an attacker only needs to craft a malicious URL that includes a backslash‑escaped domain and trick a user into clicking the resulting login link. The lack of a complex prerequisite or elevated privileges makes this attack plausible for adversaries with limited resources.

Generated by OpenCVE AI on May 7, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saltcorn to at least version 1.4.6, 1.5.6, or 1.6.0-beta.5.
  • Remove or tightly validate any `dest` URL parameters in the login flow, ensuring only strictly relative paths are accepted.
  • Consider adding a whitelist of allowed redirect destinations or enforcing a strict redirect policy to prevent future open‑redirect misuse.

Generated by OpenCVE AI on May 7, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f3g8-9xv5-77gv Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)
History

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Saltcorn
Saltcorn saltcorn
Vendors & Products Saltcorn
Saltcorn saltcorn

Thu, 07 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Saltcorn is an extensible, open source, no-code database application builder. Prior to versions 1.4.6, 1.5.6, and 1.6.0-beta.5, Saltcorn validates the post-login dest parameter with a string check that only blocks :/ and //. Because all WHATWG-compliant browsers normalise backslashes (\) to forward slashes (/) for special schemes, a payload such as /\evil.com/path slips through is_relative_url(), is emitted unchanged in the HTTP Location header, and causes the browser to navigate cross-origin to an attacker-controlled domain. The bug is reachable on a default install and only requires a victim who can be tricked into logging in via a crafted Saltcorn URL. This issue has been patched in versions 1.4.6, 1.5.6, and 1.6.0-beta.5.
Title Saltcorn: Open Redirect in `POST /auth/login` due to incomplete `is_relative_url` validation (backslash bypass)
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Saltcorn Saltcorn
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T18:54:57.234Z

Reserved: 2026-04-26T11:53:27.705Z

Link: CVE-2026-42259

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-07T20:16:44.400

Modified: 2026-05-07T20:37:54.060

Link: CVE-2026-42259

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:15:11Z

Weaknesses