CVE-2026-33506 Overview
CVE-2026-33506 is a DOM-based Cross-Site Scripting (XSS) vulnerability affecting Ory Polis (formerly BoxyHQ Jackson), a solution that bridges or proxies SAML login flows to OAuth 2.0 or OpenID Connect. The vulnerability exists in the login functionality where the application improperly trusts a URL parameter (callbackUrl), which is passed to router.push. This allows attackers to craft malicious links that execute arbitrary JavaScript in the context of a victim's browser when clicked.
Critical Impact
This vulnerability enables credential theft, internal network pivoting, and unauthorized actions on behalf of authenticated victims through client-side JavaScript execution.
Affected Products
- Ory Polis versions prior to 26.2.0
- BoxyHQ Jackson (legacy name) versions prior to 26.2.0
- Applications using Ory Polis SAML-to-OAuth/OIDC bridge functionality
Discovery Timeline
- 2026-03-26 - CVE-2026-33506 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33506
Vulnerability Analysis
This DOM-based XSS vulnerability stems from insufficient validation of user-controlled input in Ory Polis's authentication flow. The callbackUrl parameter is directly passed to the client-side router's push method without proper sanitization, creating an opportunity for JavaScript injection. When an authenticated user (or an unauthenticated user who subsequently authenticates) clicks a malicious link, the attacker's JavaScript payload executes within the application's origin context.
The attack is particularly dangerous in authentication systems because it can intercept credentials, session tokens, and other sensitive data during the login process. The network-accessible nature of this vulnerability means attackers can distribute malicious links through various channels including email, social media, or compromised websites.
Root Cause
The root cause is classified under CWE-87 (Improper Neutralization of Alternate XSS Syntax). The application fails to properly validate or sanitize the callbackUrl parameter before using it in a client-side redirect operation via router.push. This allows attackers to inject JavaScript pseudo-protocol URLs (e.g., javascript:) or craft URLs that lead to XSS payloads being executed.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker crafts a malicious URL containing a JavaScript payload in the callbackUrl parameter and distributes it to potential victims. When the victim clicks the link:
- The victim navigates to the legitimate Ory Polis login page with the malicious callbackUrl parameter
- After authentication (or immediately if already authenticated), router.push processes the attacker-controlled URL
- The JavaScript payload executes in the victim's browser within the application's security context
- The attacker can steal session cookies, tokens, or perform actions as the authenticated user
The vulnerability allows for credential theft by capturing authentication tokens, session hijacking, and potentially pivoting to internal network resources accessible to the victim.
Detection Methods for CVE-2026-33506
Indicators of Compromise
- Unusual or malformed callbackUrl parameter values in web server access logs
- JavaScript pseudo-protocol strings (javascript:) appearing in URL parameters
- Unexpected data exfiltration to external domains following authentication events
- User reports of suspicious redirects after login attempts
Detection Strategies
- Monitor web application firewall (WAF) logs for XSS patterns in callbackUrl parameters
- Implement Content Security Policy (CSP) reporting to detect inline script execution attempts
- Review authentication flow logs for abnormal callback URL patterns
- Deploy client-side anomaly detection for unexpected JavaScript execution contexts
Monitoring Recommendations
- Enable verbose logging for authentication-related endpoints and redirect operations
- Configure alerts for callbackUrl parameters containing protocol handlers or encoded payloads
- Monitor for increased rates of failed or suspicious authentication attempts
- Track outbound connections from user browsers following login events using browser telemetry
How to Mitigate CVE-2026-33506
Immediate Actions Required
- Upgrade Ory Polis to version 26.2.0 or later immediately
- Review application logs for any evidence of exploitation attempts
- Implement additional input validation on callbackUrl parameters at the WAF or proxy layer
- Notify users to be cautious of suspicious login links and report any unusual behavior
Patch Information
The vulnerability has been addressed in Ory Polis version 26.2.0. Organizations should upgrade to this version or later to remediate the vulnerability. The patch information and release notes are available in the GitHub Release v26.2.0. Additional technical details about the vulnerability can be found in the GitHub Security Advisory GHSA-3wjr-6gw8-9j22.
Workarounds
- Implement strict URL allowlisting for callback URLs at the reverse proxy or WAF level
- Deploy Content Security Policy (CSP) headers to prevent inline JavaScript execution
- Use a reverse proxy to strip or sanitize suspicious callbackUrl parameter values before they reach the application
- Temporarily disable or restrict the affected login functionality if immediate patching is not possible
# Example nginx configuration to block suspicious callbackUrl patterns
location /login {
# Block javascript: protocol in callbackUrl
if ($arg_callbackUrl ~* "javascript:") {
return 403;
}
# Block data: protocol in callbackUrl
if ($arg_callbackUrl ~* "data:") {
return 403;
}
proxy_pass http://polis_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
