CVE-2026-42207 Overview
CVE-2026-42207 is an open redirect vulnerability in OpenMage Magento Long Term Support (LTS), a community-driven fork of the Magento Community Edition e-commerce platform. The flaw resides in Mage_ProductAlert_AddController::stockAction(), which reads the uenc query parameter and passes it directly to $this->_redirectUrl($backUrl) without invoking $this->_isUrlInternal(). When the supplied product_id does not match any catalog product, the server issues an unvalidated HTTP 302 redirect to the attacker-controlled URL. The issue is fixed in version 20.18.0 and is classified under CWE-601 URL Redirection to Untrusted Site.
Critical Impact
Attackers can craft links that appear to originate from a trusted Magento storefront and silently redirect victims to phishing or malware-hosting domains.
Affected Products
- OpenMage Magento LTS versions prior to 20.18.0
- Mage_ProductAlert module (stockAction endpoint)
- Storefronts exposing the product alert stock subscription URL
Discovery Timeline
- 2026-05-15 - CVE-2026-42207 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-42207
Vulnerability Analysis
The vulnerability is an open redirect in the product stock alert subscription flow. The stockAction() method handles requests to subscribe a customer to back-in-stock notifications. The controller accepts a uenc query parameter, which OpenMage uses to base64-encode a return URL after the requested action completes.
In the affected code path, stockAction() decodes uenc into $backUrl and passes it to $this->_redirectUrl($backUrl). The controller does not call $this->_isUrlInternal() to confirm the destination belongs to the same host. Successful exploitation requires user interaction, since the victim must click the crafted link.
Root Cause
The root cause is missing validation of an attacker-controlled URL parameter before performing an HTTP redirect. OpenMage provides _isUrlInternal() precisely to enforce same-origin redirects, but stockAction() omits the check on the failure branch where the supplied product_id does not resolve to a catalog product. The trust boundary between user-supplied input and the redirect sink is therefore not enforced.
Attack Vector
An attacker constructs a URL pointing at the vulnerable Magento storefront, includes an invalid product_id, and sets uenc to a base64-encoded external URL. When a victim clicks the link, the storefront returns an HTTP 302 to the attacker-chosen destination. Because the initial domain belongs to a legitimate merchant, the redirect can be used to bolster phishing campaigns, harvest credentials on lookalike login pages, or deliver malware while bypassing URL reputation checks that whitelist the merchant domain.
The vulnerability is described in prose only; see the GitHub Security Advisory GHSA-qpgq-5g92-j5q8 for the maintainer's technical details and patch diff.
Detection Methods for CVE-2026-42207
Indicators of Compromise
- Web server access logs showing requests to /productalert/add/stock/ paths with a uenc parameter that decodes to an external hostname.
- HTTP 302 responses from the storefront whose Location header points to a domain outside the merchant's own domains.
- Spike in requests to productalert endpoints with product_id values that do not exist in the catalog.
Detection Strategies
- Decode the uenc query parameter from base64 in WAF or log pipelines and alert when the decoded value is not a same-origin URL.
- Correlate referrer chains where users arrive at external domains via a 302 from the storefront's product alert endpoints.
- Add static code analysis rules that flag calls to _redirectUrl() not preceded by _isUrlInternal() in custom Magento modules.
Monitoring Recommendations
- Monitor outbound redirects from storefront domains and baseline expected destinations.
- Track customer reports of suspicious links that begin with the merchant domain but land on third-party sites.
- Review threat intelligence feeds for phishing kits abusing Magento uenc redirects.
How to Mitigate CVE-2026-42207
Immediate Actions Required
- Upgrade OpenMage Magento LTS to version 20.18.0 or later, where stockAction() validates the redirect target.
- Inventory custom controllers and third-party modules for additional uses of uenc that omit _isUrlInternal() checks.
- Inform customer support teams so they can recognize and report phishing campaigns that abuse storefront redirects.
Patch Information
The issue is fixed in OpenMage Magento LTS 20.18.0. The patch adds an internal URL check before calling _redirectUrl() on the uenc-derived destination in Mage_ProductAlert_AddController::stockAction(). Refer to the OpenMage GitHub Security Advisory for commit details.
Workarounds
- Deploy a WAF rule that rejects requests to /productalert/add/stock/ when the base64-decoded uenc value contains a scheme or host that does not match the storefront domain.
- Strip or rewrite the uenc parameter at the reverse proxy for the product alert endpoints until the upgrade is applied.
- Restrict the Location response header on storefront responses to same-origin values using an egress middleware.
# Example ModSecurity rule to block external uenc redirects on the product alert endpoint
SecRule REQUEST_URI "@beginsWith /productalert/add/stock" \
"phase:2,chain,deny,status:400,id:1004207,msg:'CVE-2026-42207 external uenc redirect blocked'"
SecRule ARGS:uenc "@rx ^[A-Za-z0-9+/=]+$" \
"chain,t:base64Decode"
SecRule TX:0 "@rx ^https?://(?!storefront\.example\.com)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

