CVE-2026-42195 Overview
CVE-2026-42195 affects draw.io, a configurable diagramming and whiteboarding application. Versions prior to 29.7.9 accept a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link redirects the user's click on the "Authorize in GitLab" dialog to open a popup on an attacker-controlled host instead of gitlab.com. This redirection enables credential phishing and session state token exfiltration. The maintainers patched the issue in version 29.7.9. The weakness is tracked under [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).
Critical Impact
Attackers can hijack the draw.io OAuth authorization flow to harvest GitLab credentials and steal OAuth session state tokens through a single crafted link.
Affected Products
- draw.io (jgraph/drawio) client versions prior to 29.7.9
- Deployments integrating draw.io with GitLab OAuth sign-in
- Self-hosted draw.io instances exposing the affected client build
Discovery Timeline
- 2026-05-08 - CVE-2026-42195 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42195
Vulnerability Analysis
The draw.io client integrates with GitLab using an OAuth authorization flow. During sign-in, the client opens a popup window pointing to the GitLab authorization endpoint. The client trusts a user-supplied ?gitlab= query parameter to determine the OAuth server host, rather than enforcing a fixed allowlist anchored to gitlab.com or a configured self-hosted instance.
An attacker crafts a draw.io URL containing ?gitlab=attacker.example. When the victim opens that link and clicks "Authorize in GitLab," the popup loads the attacker-controlled host instead of the legitimate GitLab server. The attacker's page can imitate the GitLab login interface to capture credentials. It can also receive the OAuth state token and redirect parameters that draw.io passes during the flow.
Exploitation requires user interaction, namely clicking the crafted link and proceeding through the authorization dialog. The attack succeeds across trust boundaries because the popup originates from a draw.io-initiated action, lending it perceived legitimacy.
Root Cause
The root cause is improper input validation of an externally controllable URL parameter that governs a security-sensitive endpoint. The client should treat the OAuth server origin as a fixed configuration value, not as user-controlled input. By accepting ?gitlab= without an allowlist, draw.io exposes the authorization flow to redirection. This pattern aligns with [CWE-200] because session state and credential material can be disclosed to an unauthorized origin.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker distributes a crafted draw.io link through phishing email, chat, or a malicious diagram embed. The victim opens the link in a draw.io session and initiates GitLab sign-in. The popup is redirected to the attacker host, where credentials and OAuth state tokens can be captured. No authentication or special privileges are needed to craft or deliver the link.
No verified proof-of-concept code is available. See the GitHub Security Advisory GHSA-8x7j-m8px-7p8x for additional technical details.
Detection Methods for CVE-2026-42195
Indicators of Compromise
- draw.io URLs containing a ?gitlab= parameter pointing to any host other than gitlab.com or your sanctioned self-hosted GitLab instance.
- OAuth popups during draw.io sign-in that load an unexpected origin in the address bar.
- Web proxy or browser telemetry showing outbound requests from draw.io sessions to unrecognized GitLab-lookalike domains.
Detection Strategies
- Inspect HTTP referrer and request logs for draw.io page loads carrying the gitlab= query parameter with non-allowlisted values.
- Hunt in email and chat gateways for inbound links matching drawio* hosts combined with a gitlab= parameter.
- Correlate GitLab authentication logs with draw.io session activity to surface OAuth attempts that originate from unfamiliar relay hosts.
Monitoring Recommendations
- Alert on newly registered domains that resemble gitlab.com and appear as query values in draw.io traffic.
- Track draw.io client version strings in browser telemetry to confirm all users are running 29.7.9 or later.
- Monitor GitLab OAuth application logs for authorization requests with unusual redirect_uri or state patterns.
How to Mitigate CVE-2026-42195
Immediate Actions Required
- Upgrade all draw.io deployments and embedded client builds to version 29.7.9 or later, as documented in the GitHub Release Note v29.7.9.
- Notify users to avoid clicking draw.io links from untrusted sources until the upgrade is complete.
- Rotate any GitLab OAuth client secrets and revoke active sessions if exploitation is suspected.
Patch Information
The draw.io maintainers fixed the issue in version 29.7.9. The patch removes acceptance of the externally supplied gitlab= URL parameter for OAuth host selection. Refer to the GitHub Security Advisory GHSA-8x7j-m8px-7p8x and the GitHub Issue Report for change details.
Workarounds
- Block or strip the gitlab= query parameter at web proxies and reverse proxies in front of self-hosted draw.io instances.
- Restrict the GitLab OAuth application's allowed redirect_uri values to your sanctioned draw.io origin only.
- Train users to verify the popup origin shows gitlab.com (or your internal GitLab host) before entering credentials.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
