CVE-2026-5808 Overview
A DOM-based Cross-Site Scripting (XSS) vulnerability was discovered in openstatusHQ openstatus affecting the onboarding endpoint component. The vulnerability exists in the file apps/dashboard/src/app/(dashboard)/onboarding/client.tsx where improper handling of the callbackURL parameter allows attackers to inject malicious scripts. The manipulation of this argument enables cross-site scripting attacks that can be launched remotely. This product operates on a rolling release basis with continuous delivery, meaning there are no traditional version numbers for affected or patched releases.
Critical Impact
Remote attackers can exploit inadequate URL validation in the onboarding flow to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking, credential theft, or phishing attacks.
Affected Products
- openstatusHQ openstatus (commits up to 1b678e71a85961ae319cbb214a8eae634059330c)
- OpenStatus Dashboard Application - Onboarding Component
- Installations using the affected client.tsx onboarding endpoint
Discovery Timeline
- April 8, 2026 - CVE-2026-5808 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5808
Vulnerability Analysis
This DOM-based XSS vulnerability stems from insufficient validation of the callbackURL parameter in the OpenStatus dashboard onboarding workflow. The vulnerable component is a React/TypeScript file that handles user redirection after completing the onboarding process. Prior to the patch, the application failed to verify that redirect URLs were same-origin and used safe protocols, allowing attackers to craft malicious URLs that could execute JavaScript or redirect users to attacker-controlled domains.
The attack is network-accessible and requires user interaction, as victims must click on a maliciously crafted link containing the poisoned callbackURL parameter. When the vulnerable code processes this parameter, it can lead to the execution of attacker-supplied scripts within the context of the authenticated user's session.
Root Cause
The root cause is insufficient input validation in the URL handling logic of the onboarding client component. The original implementation only checked if the URL pathname was empty or root (/), but did not validate:
- Whether the redirect URL pointed to the same origin as the application
- Whether the URL protocol was restricted to safe values (http: or https:)
- Whether relative paths started with a forward slash to prevent protocol-based attacks
This allowed attackers to bypass the minimal validation and inject URLs with malicious protocols (such as javascript:) or redirect users to external malicious sites.
Attack Vector
The attack vector involves crafting a malicious URL containing a specially crafted callbackURL parameter. An attacker could distribute this link through phishing emails, social media, or other channels. When a victim clicks the link and completes or interacts with the onboarding flow, the malicious callback URL is processed, potentially executing JavaScript in the victim's browser context or redirecting them to an attacker-controlled site.
// Security patch showing the fix for DOM-based XSS
try {
const url = new URL(callbackUrl, window.location.origin);
if (url.pathname === "/" || url.pathname === "") return;
+ // Only allow same-origin redirects with safe protocols
+ if (url.origin !== window.location.origin) return;
+ if (url.protocol !== "http:" && url.protocol !== "https:") return;
router.push(callbackUrl);
} catch {
// If callbackUrl is a relative path, check it directly
if (callbackUrl === "/" || callbackUrl === "") return;
+ // Only allow paths starting with / to prevent protocol-based attacks
+ if (!callbackUrl.startsWith("/")) return;
router.push(callbackUrl);
}
}, [callbackUrl, router]);
Source: GitHub OpenStatus Commit
Detection Methods for CVE-2026-5808
Indicators of Compromise
- Requests to onboarding endpoints containing suspicious callbackURL parameters with javascript: protocol
- URLs containing encoded JavaScript payloads in the callback parameter
- Unusual redirect patterns in application logs showing external domains in callback URLs
- Client-side errors related to blocked script execution in browser console logs
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing javascript: or data: protocols in URL parameters
- Monitor application logs for abnormal callback URL patterns that don't match expected internal paths
- Deploy Content Security Policy (CSP) headers to restrict inline script execution and report violations
- Use browser-based XSS detection mechanisms and audit tools to identify DOM manipulation attempts
Monitoring Recommendations
- Enable verbose logging for the onboarding endpoint to capture all callbackURL parameter values
- Set up alerts for CSP violation reports that may indicate XSS exploitation attempts
- Monitor for unusual user session activity following onboarding flow completion
- Review referrer headers to identify potential phishing campaigns distributing malicious links
How to Mitigate CVE-2026-5808
Immediate Actions Required
- Update to the patched version by pulling the latest commit from the OpenStatus repository containing fix 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb
- Review application logs for any historical exploitation attempts using suspicious callback URLs
- Implement Content Security Policy headers to provide defense-in-depth against XSS attacks
- Notify users who may have been exposed to phishing attempts leveraging this vulnerability
Patch Information
The vulnerability has been addressed in commit 43d9b2b9ef8ae1a98f9bdc8a9f86d6a3dfaa2dfb. Since OpenStatus operates on a rolling release model, users should pull the latest version from the OpenStatus GitHub repository. The patch adds proper origin validation and protocol restrictions to the callback URL handling logic. The related pull request #1981 contains additional context about the fix. The vendor responded professionally and released the fix promptly after disclosure.
Workarounds
- Implement a reverse proxy or WAF rule to strip or validate callbackURL parameters before they reach the application
- Temporarily disable the onboarding redirect functionality if not critical to operations
- Add server-side validation of callback URLs as an additional security layer
- Deploy strict Content Security Policy headers to mitigate the impact of any successful XSS exploitation
# Example CSP header configuration to mitigate XSS risks
# Add to your web server configuration (nginx example)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; form-action 'self';" always;
# WAF rule example to block javascript: protocol in parameters
# ModSecurity rule
SecRule ARGS "@contains javascript:" "id:100001,phase:2,deny,status:403,msg:'Potential XSS attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
