CVE-2026-5467 Overview
An open redirect vulnerability has been identified in Casbin Casdoor version 2.356.0. The vulnerability exists within the OAuth Authorization Request Handler component, where improper validation of the redirect_uri parameter allows attackers to redirect users to arbitrary external URLs. This flaw can be exploited remotely without requiring authentication, making it particularly dangerous in phishing campaigns and credential theft scenarios.
Critical Impact
Attackers can leverage this open redirect vulnerability to conduct sophisticated phishing attacks, bypassing user trust by exploiting legitimate Casdoor authentication flows to redirect victims to malicious sites.
Affected Products
- Casbin Casdoor 2.356.0
- OAuth Authorization Request Handler component
Discovery Timeline
- 2026-04-03 - CVE-2026-5467 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-5467
Vulnerability Analysis
This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The OAuth Authorization Request Handler in Casdoor fails to properly validate the redirect_uri parameter during the OAuth authorization flow. When a user initiates an OAuth authentication request, the application accepts arbitrary URLs in the redirect parameter without verifying they belong to a pre-registered, trusted set of redirect URIs.
The attack can be executed remotely over the network with low complexity. While exploitation requires user interaction (clicking a malicious link), no special privileges are needed by the attacker. The primary impact is on integrity, as users can be misdirected to attacker-controlled sites while believing they are interacting with a legitimate authentication flow.
Root Cause
The root cause stems from insufficient validation logic within the OAuth Authorization Request Handler. The application fails to enforce strict allowlisting of redirect URIs, a fundamental security requirement outlined in OAuth 2.0 specifications (RFC 6749). Instead of comparing the provided redirect_uri against a pre-configured list of authorized callback URLs, the handler accepts arbitrary values, enabling the redirection to external malicious domains.
Attack Vector
The attack is executed over the network and follows a typical open redirect exploitation pattern:
- An attacker crafts a malicious OAuth authorization URL containing a controlled redirect_uri value pointing to an attacker-owned domain
- The attacker distributes this URL via phishing emails, social engineering, or compromised websites
- The victim clicks the link, trusting the legitimate Casdoor domain in the URL
- After completing authentication (or even without it), the victim is redirected to the malicious site
- The attacker's site can then harvest credentials, deliver malware, or conduct further social engineering attacks
The vulnerability is publicly documented and exploit information is available through VulDB Vulnerability #355071, increasing the likelihood of exploitation in the wild. The vendor was contacted about this disclosure but did not respond.
Detection Methods for CVE-2026-5467
Indicators of Compromise
- Unusual redirect_uri parameters in OAuth authorization requests pointing to external domains
- Authentication requests followed by redirects to non-whitelisted URLs
- User complaints about being redirected to suspicious websites after login attempts
- Increased phishing reports referencing legitimate Casdoor authentication URLs
Detection Strategies
- Monitor OAuth authorization endpoint logs for redirect_uri values that do not match known registered callback URLs
- Implement Web Application Firewall (WAF) rules to flag authorization requests with external domain redirect URIs
- Deploy URL filtering to detect and block requests containing suspicious redirect patterns
- Utilize SentinelOne's behavioral detection capabilities to identify anomalous redirect chains following authentication attempts
Monitoring Recommendations
- Enable verbose logging on the OAuth Authorization Request Handler to capture all redirect_uri values
- Set up alerts for redirect URIs that deviate from established patterns or registered applications
- Review authentication logs regularly for signs of exploitation attempts
- Monitor for increases in failed or abandoned OAuth flows that may indicate reconnaissance activity
How to Mitigate CVE-2026-5467
Immediate Actions Required
- Upgrade Casdoor to a patched version when available from the vendor
- Implement strict allowlisting of redirect URIs at the web application firewall or reverse proxy level
- Review and restrict all registered OAuth applications to use only pre-approved callback URLs
- Educate users about the risks of clicking OAuth links from untrusted sources
Patch Information
As of the last update on 2026-04-09, no official patch has been released by Casbin. The vendor was contacted about this disclosure but did not respond. Organizations should monitor VulDB Submission #781769 and the official Casdoor repository for updates. In the absence of a vendor patch, implementing the workarounds below is critical.
Workarounds
- Deploy a reverse proxy or WAF rule to validate redirect_uri parameters against a strict allowlist before requests reach Casdoor
- Configure network-level filtering to block outbound redirects to non-approved domains
- Implement Content Security Policy (CSP) headers with restricted form-action directives
- Consider temporarily disabling the OAuth functionality if it is not business-critical until a patch is available
# Example nginx configuration to restrict redirect_uri values
# Add to server block handling Casdoor OAuth endpoints
location /api/login/oauth/authorize {
# Only allow redirect_uri to approved domains
if ($arg_redirect_uri !~ "^https://(app\.example\.com|dashboard\.example\.com)/callback") {
return 403;
}
proxy_pass http://casdoor_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
