CVE-2026-32113
Open Redirect Vulnerability in Discourse StaticController Component
Publication date: 2026-03-31
Last updated on: 2026-04-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| discourse | discourse | 2026.3.0 |
| discourse | discourse | From 2026.1.0 (inc) to 2026.1.3 (exc) |
| discourse | discourse | From 2026.2.0 (inc) to 2026.2.2 (exc) |
| discourse | discourse | 2026.3.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability CVE-2026-32113 is an open redirect issue that allows attackers to redirect authenticated users to arbitrary external sites, potentially enabling phishing attacks.
While the vulnerability itself does not directly impact the confidentiality, integrity, or availability of the Discourse system, it poses a significant risk to user security by facilitating phishing attacks after authentication.
This phishing risk could indirectly affect compliance with standards like GDPR and HIPAA, which require protecting user data and ensuring secure authentication flows, because successful phishing could lead to unauthorized access or disclosure of personal data.
Therefore, organizations using affected Discourse versions should apply the patch or disable the vulnerable feature to maintain compliance with security requirements in these regulations.
Can you explain this vulnerability to me?
CVE-2026-32113 is an open redirect vulnerability in the Discourse discussion platform affecting versions before 2026.1.3, 2026.2.2, and 2026.3.0. The vulnerability occurs because the `enter` action in the StaticController reads the `sso_destination_url` cookie and redirects users to its value without validating whether the URL is safe or belongs to trusted domains.
Although the cookie is normally set during legitimate Single Sign-On (SSO) flows with cryptographically validated payloads, it is client-controlled and can be manipulated by attackers. This allows attackers who can set this cookie in a victim's browser to redirect authenticated users to arbitrary external sites, such as phishing pages.
The vulnerability was fixed by adding validation logic that checks if the URL in the `sso_destination_url` cookie matches configured SSO provider domains, including support for wildcard domains. If the URL is invalid or unauthorized, the redirect defaults to a safe internal path.
How can this vulnerability impact me? :
This vulnerability can impact you by enabling attackers to perform phishing attacks on your users after they authenticate. If an attacker can set the `sso_destination_url` cookie in a victim's browser, they can cause the victim to be redirected to a malicious external site immediately after login.
Such phishing attacks can trick users into divulging sensitive information or credentials by redirecting them to attacker-controlled websites that appear legitimate.
The attack requires the attacker to be able to set cookies in the victim's browser, which might be possible through subdomain cookie injection, cross-site scripting (XSS) on related domains, or other cookie-setting vulnerabilities.
The vulnerability does not directly affect the confidentiality, integrity, or availability of the Discourse system itself, but it poses a high risk to users due to the phishing potential.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an attacker setting the `sso_destination_url` cookie to an arbitrary external URL to cause an open redirect after authentication. Detection involves monitoring for suspicious or unexpected values in the `sso_destination_url` cookie, especially those redirecting to external or untrusted domains.
You can detect attempts to exploit this vulnerability by inspecting HTTP requests to the `/login` endpoint and checking the `sso_destination_url` cookie values for unusual or unauthorized domains.
- Use web server or proxy logs to search for requests with the `sso_destination_url` cookie set to external domains.
- On the server, monitor HTTP request headers for the presence of the `sso_destination_url` cookie with suspicious values.
- Example command to search logs for suspicious cookie values (assuming Apache logs): `grep 'sso_destination_url=' /var/log/apache2/access.log | grep -E 'http[s]?://(?!your-trusted-domain)'`
- Use network traffic inspection tools (e.g., Wireshark, tcpdump) to capture HTTP requests and filter for the `sso_destination_url` cookie.
- If you have access to the Discourse application logs or can enable debug logging, look for redirect events triggered by the `sso_destination_url` cookie and verify the destination URLs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade Discourse to a patched version where this vulnerability is fixed. The patched versions are 2026.1.3, 2026.2.2, and 2026.3.0 or later.
If immediate upgrade is not possible, you should temporarily disable the DiscourseConnect Provider feature to prevent the vulnerable code path from executing.
- Upgrade Discourse to version 2026.1.3, 2026.2.2, 2026.3.0, or later.
- Temporarily set the site setting `enable_discourse_connect_provider` to `false` to disable the vulnerable SSO provider functionality.
- Review and restrict the domains configured in `discourse_connect_provider_secrets` to only trusted domains.
These steps will prevent attackers from exploiting the open redirect by ensuring that the `sso_destination_url` cookie is either not used or validated against trusted domains.