CVE-2026-21853
Received Received - Intake
Remote Code Execution via AFFiNE Custom URL Handler

Publication date: 2026-03-02

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim’s machine, without further interaction. This issue has been patched in version 0.25.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-02
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-03-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-21853
EUVD
EUVD-2026-9252
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
affine affine to 0.25.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-21853 is a high-severity remote code execution vulnerability in AFFiNE, an open-source workspace and operating system. The flaw exists in versions prior to 0.25.4 and arises from unsafe handling of custom affine:// URLs. An attacker can embed a specially crafted affine:// URL on a malicious or legitimate website. When a victim clicks or is redirected to this URL, the AFFiNE app is launched via its custom URL handler, which processes the crafted URL and executes arbitrary code on the victim's machine without further interaction."}, {'type': 'paragraph', 'content': 'The root cause is improper validation of URLs, especially those using the file:// scheme, which can bypass domain whitelisting checks and lead to execution of local files. This vulnerability is due to improper control of code generation (CWE-94), where user input is used to construct code segments without proper neutralization.'}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an attacker to execute arbitrary code on your machine if you use AFFiNE and visit or click on a crafted affine:// URL. This can happen without any further interaction beyond visiting a malicious website or clicking a malicious link embedded in legitimate content.'}, {'type': 'list_item', 'content': "Arbitrary code execution on the victim's machine."}, {'type': 'list_item', 'content': 'Potential compromise of confidentiality, integrity, and availability of your system.'}, {'type': 'list_item', 'content': 'Execution of local files or applications without your consent.'}, {'type': 'paragraph', 'content': 'Overall, this can lead to severe security breaches including system takeover, data theft, or disruption of services.'}] [1]

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by monitoring for usage or invocation of the AFFiNE application via specially crafted affine:// URLs, especially those containing the parameter hidden=1 which triggers the vulnerable redirect-proxy behavior.

Detection can involve checking for suspicious URL handler invocations or network traffic that includes affine:// URLs, particularly those that redirect to file:// URLs or other disallowed protocols.

On the system, you can look for unexpected launches of the AFFiNE app or unusual executions of local applications triggered by file:// URLs.

Specific commands are not provided in the resources, but general approaches include:

  • Monitoring browser history or logs for visits or redirects to affine:// URLs.
  • Using system process monitoring tools to detect unexpected launches of AFFiNE or local executables triggered by URL handlers.
  • Network traffic inspection for suspicious URL patterns involving affine:// or file:// schemes.
Mitigation Strategies

The primary mitigation is to upgrade the AFFiNE application to version 0.25.4 or later, where the vulnerability has been patched.

The patch introduces a secure utility function that strictly validates external URLs before opening them, blocking unsafe protocols such as file:// and preventing arbitrary code execution.

Until the upgrade is applied, users should avoid clicking on or visiting any affine:// URLs from untrusted or unknown sources.

Additional steps include:

  • Implement network filtering or browser policies to block or warn about affine:// URL schemes.
  • Educate users about the risk of clicking on suspicious links that may trigger the vulnerability.
  • Monitor and restrict the use of custom URL handlers if possible.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-21853. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart