CVE-2026-22032
Open Redirect in Directus SAML Callback Allows Phishing
Publication date: 2026-01-08
Last updated on: 2026-01-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| directus | directus | to 11.14.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22032 is an open redirect vulnerability in the Directus SAML authentication callback endpoint. The vulnerability occurs because the RelayState parameter, which is supposed to preserve the user's original destination during SAML authentication, is not properly validated against an allowlist of permitted domains at the callback stage. While the login initiation flow validates redirect targets, this validation is missing in the callback endpoint. This allows an attacker to craft malicious authentication requests that redirect users to arbitrary external URLs after authentication completes, affecting both success and error handling paths. Exploitation requires no authentication but does require user interaction, such as clicking a link. [1]
How can this vulnerability impact me? :
This vulnerability can be exploited to redirect users to attacker-controlled websites that may mimic legitimate login pages, enabling phishing attacks. It can also lead to potential credential theft through chained attacks that capture OAuth tokens or authorization codes. Additionally, it can erode user trust in the security of the application. Since the vulnerability can be exploited without authentication, it poses a moderate security risk. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring SAML authentication callback requests for suspicious or unexpected RelayState parameter values that redirect to external or unapproved URLs. Specifically, look for HTTP requests to the Directus SAML callback endpoint containing RelayState parameters with URLs not belonging to your allowed domains. Network traffic inspection tools or web server logs can be used to identify such requests. Commands to detect this might include using tools like curl or wget to simulate requests, or grep to search logs for suspicious RelayState values. For example, searching web server logs for RelayState parameters redirecting to external domains: `grep -i 'RelayState=http' /var/log/nginx/access.log | grep -v 'your-allowed-domain.com'`. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Directus to version 11.14.0 or later, where the vulnerability is patched. The patch adds validation of the RelayState parameter in the SAML authentication callback endpoint to ensure redirects are only allowed to approved domains. If upgrading immediately is not possible, consider implementing additional validation or filtering on the RelayState parameter at your network or application level to block redirects to untrusted URLs. Also, educate users to be cautious about clicking on suspicious authentication links that could exploit this vulnerability. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, the vulnerability enables open redirects that can facilitate phishing attacks and potential credential theft, which could indirectly affect compliance by compromising user data security and privacy. No direct statements about regulatory compliance impact are given. [1]