CVE-2026-2153 Overview
A vulnerability has been identified in mwielgoszewski doorman up to version 0.6. This security flaw affects the is_safe_url function within the file doorman/users/views.py. By manipulating the Next argument, an attacker can achieve an open redirect condition. The attack can be launched remotely without authentication, and the exploit has been publicly disclosed.
Critical Impact
Attackers can manipulate URL redirection to send users to malicious websites, enabling phishing attacks, credential theft, or malware distribution through trusted application URLs.
Affected Products
- mwielgoszewski doorman up to version 0.6
- Applications utilizing the vulnerable is_safe_url function in doorman/users/views.py
Discovery Timeline
- 2026-02-08 - CVE CVE-2026-2153 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2026-2153
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The is_safe_url function in doorman's user views module fails to properly validate the Next parameter, allowing attackers to craft malicious URLs that redirect users to arbitrary external sites.
Open redirect vulnerabilities are particularly dangerous because they leverage the trust users place in legitimate domains. When a user sees a familiar domain in a URL, they are more likely to click on it, unaware that the link will redirect them to a malicious destination.
Root Cause
The root cause of this vulnerability lies in insufficient URL validation within the is_safe_url function. The function does not adequately verify that the destination URL specified in the Next parameter belongs to the same domain or is within an allowed list of safe destinations. This allows attackers to bypass the intended security controls and redirect users to external, potentially malicious websites.
Attack Vector
The vulnerability is exploitable remotely over the network. An attacker can craft a specially designed URL that includes a malicious redirect destination in the Next parameter. When a victim clicks on this link, they are initially directed to the legitimate doorman application, which then redirects them to the attacker-controlled site.
This attack requires user interaction (clicking the malicious link) but no authentication or special privileges. The attacker typically distributes these crafted URLs through phishing emails, social media, or other communication channels, leveraging the legitimate appearance of the doorman domain to increase click-through rates.
Technical details and proof-of-concept information are available through the GitHub PoC Repository and VulDB #344855.
Detection Methods for CVE-2026-2153
Indicators of Compromise
- Unusual URL patterns containing the Next parameter with external domain references
- Log entries showing redirects to domains outside your organization's control
- User reports of being redirected to unexpected or suspicious websites after clicking internal links
- Increased phishing attempts leveraging your organization's doorman URLs
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests with suspicious Next parameter values pointing to external domains
- Configure URL monitoring to flag redirect requests containing non-whitelisted destination URLs
- Enable detailed logging for the doorman/users/views.py module to capture all redirect attempts
- Deploy SentinelOne Singularity for endpoint protection to detect and block malicious redirect chains
Monitoring Recommendations
- Monitor web server access logs for requests to doorman endpoints containing the Next parameter with external URLs
- Set up alerts for high volumes of redirect requests originating from single IP addresses
- Review authentication logs for patterns indicating credential theft following redirect attacks
- Implement user behavior analytics to detect unusual login patterns that may indicate compromised credentials from phishing
How to Mitigate CVE-2026-2153
Immediate Actions Required
- Audit all deployments of mwielgoszewski doorman version 0.6 and earlier
- Implement additional URL validation at the web server or application gateway level
- Review and restrict the allowable destinations for the Next parameter to internal domains only
- Educate users about the risks of clicking on links, even those appearing to originate from trusted domains
Patch Information
As of the last modification date (2026-02-09), users should check the official mwielgoszewski doorman repository for security updates addressing this vulnerability. Monitor the VulDB entry for updated patch information and remediation guidance.
Workarounds
- Implement a strict whitelist of allowed redirect destinations at the application or reverse proxy level
- Add server-side validation to reject any Next parameter values containing external domains or suspicious URL patterns
- Consider disabling the redirect functionality entirely if not critical to business operations
- Deploy a web application firewall with rules specifically targeting open redirect attack patterns
# Example nginx configuration to restrict redirects
# Add to your server block configuration
# Block requests with external URLs in the Next parameter
if ($arg_next ~* "^https?://(?!yourdomain\.com)") {
return 403;
}
# Alternative: Redirect suspicious requests to a safe page
location /users/ {
if ($arg_next ~* "^https?://(?!yourdomain\.com)") {
return 302 /safe-landing-page;
}
proxy_pass http://doorman_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
