CVE-2026-33284
Open Redirect in GlobaLeaks /api/support Enables Phishing
Publication date: 2026-03-27
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| globaleaks | globaleaks | to 5.0.89 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in GlobaLeaks (CVE-2026-33284) involves insufficient URL validation in support emails sent to administrators, which could lead to phishing or social engineering attacks if administrators click on malicious URLs.
However, the vulnerability does not allow code execution, data modification, credential exposure, or system disruption, and only affects administrators who interact with the malicious URLs.
There is no direct information provided about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-33284 is an insufficient URL validation vulnerability in the /api/support endpoint of the GlobaLeaks whistleblowing software versions up to 5.0.88. This endpoint performs minimal validation on user-submitted support requests, allowing arbitrary URLs to be included in support emails sent to administrators.
Although the backend tries to block special characters in email addresses and link formats, it does not verify that URLs point only to the GlobaLeaks platform. These URLs are forwarded as plain text in support emails, but some email clients may automatically convert them into clickable links.
This creates a low-risk vulnerability mainly related to social engineering or phishing attacks targeting administrators who might click on malicious URLs.
How can this vulnerability impact me? :
The vulnerability primarily impacts administrators who receive support emails containing arbitrary URLs. If an administrator clicks on a malicious URL that was included due to insufficient validation, they could be exposed to phishing or social engineering attacks.
There is no direct technical impact such as code execution, data modification, credential exposure, or system disruption on the GlobaLeaks platform itself.
Exploitation requires no privileges but does require administrator interaction by clicking the link.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the /api/support endpoint of GlobaLeaks performing minimal validation on user-submitted URLs in support requests, allowing arbitrary URLs to be included in emails sent to administrators.
Detection can focus on monitoring or inspecting support request traffic to the /api/support endpoint for unusual or arbitrary URLs in the "url" parameter.
Since the vulnerability is related to URLs included in support emails, you can also monitor outgoing support emails for suspicious or unexpected URLs.
Specific commands are not provided in the resources, but general approaches include:
- Using network traffic inspection tools (e.g., tcpdump, Wireshark) to capture HTTP POST requests to /api/support and grep for the "url" parameter.
- Example command to capture and inspect traffic (assuming HTTP on port 80): tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/api/support'
- Searching application logs for support requests containing URLs in the "url" parameter.
- Reviewing outgoing support emails for URLs that do not belong to the GlobaLeaks platform.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade GlobaLeaks to version 5.0.89 or later, where the vulnerability is patched.
- Apply escaping to URLs and email addresses in support emails, such as replacing "://" with "[://]", "." with "[.]", and "@" with "[@]" to prevent automatic link conversion by email clients.
- Deprecate or disable the "url" parameter in support requests, relying instead on server-side platform context determination.
- Configure administrator email clients to disable automatic link conversion to reduce the risk of accidental clicks on malicious URLs.
- Train administrators to be cautious with links received in support emails, especially those from untrusted sources.