CVE-2026-33506
Received Received - Intake
DOM-Based XSS in Ory Polis Login Enables Credential Theft

Publication date: 2026-03-26

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-04-17
Generated
2026-05-07
AI Q&A
2026-03-26
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33506
EUVD
EUVD-2026-16320
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ory polis to 26.2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE-87 The product does not neutralize or incorrectly neutralizes user-controlled input for alternate script syntax.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33506 is a DOM-based Cross-Site Scripting (XSS) vulnerability in the login functionality of Ory Polis, a tool that bridges SAML login flows to OAuth 2.0 or OpenID Connect. The vulnerability exists because the application improperly trusts a URL parameter called `callbackUrl` and passes it directly to a client-side routing function (`router.push`) without validation.

An attacker can craft a malicious URL containing JavaScript code in the `callbackUrl` parameter. When an authenticated user clicks this link, or an unauthenticated user logs in after clicking it, the malicious JavaScript executes in the user's browser context. This happens because `router.push` assigns the URL to `window.location`, allowing execution of JavaScript if the URL uses the `javascript:` scheme.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including credential theft, unauthorized actions performed on behalf of the victim, and internal network pivoting from the victim's browser.

  • Credential theft by executing arbitrary JavaScript in the victim's browser.
  • Unauthorized actions performed with the victim's privileges, including administrative API calls.
  • Internal network pivoting, potentially allowing attackers to access internal resources through the victim's session.

The vulnerability has a high severity with a CVSS v3.1 base score of 8.8, indicating a significant risk if exploited.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious URL parameters, specifically the `callbackUrl` parameter in requests to the Ory Polis login page. Look for URLs where `callbackUrl` contains JavaScript schemes such as `javascript:` which indicate potential exploitation attempts.

You can use network monitoring or web server logs to search for such patterns.

  • Use grep or similar tools on web server logs to find suspicious callbackUrl parameters, for example: grep -i 'callbackUrl=javascript:' access.log
  • Use curl or wget to test the login endpoint with crafted URLs to verify if the application improperly redirects or executes scripts.
  • Monitor browser developer tools or use automated scanning tools that detect DOM-based XSS by analyzing client-side redirects and URL parameter handling.

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Ory Polis to version 26.2.0 or later, which contains a patch for this DOM-based XSS vulnerability.

If upgrading is not immediately possible, implement validation and sanitization of the `callbackUrl` parameter before passing it to `router.push`.

  • Validate that the `callbackUrl` is a relative or absolute URL with the same origin as the application.
  • Ensure the URL protocol is either `http:` or `https:` and reject or fallback to a safe default path if validation fails.
  • Use a validation function similar to the following example: ```javascript function isValidRedirectPath(path) { try { const url = new URL(path, window.location.origin); return url.origin === window.location.origin && (url.protocol === 'http:' || url.protocol === 'https:'); } catch { return false; } } ```

Additionally, consider enabling stricter redirect URL matching using the environment variable `OPENID_REDIRECT_EXACT_MATCH` as introduced in version 26.2.0.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an attacker to execute arbitrary JavaScript in the context of an authenticated user's browser, potentially leading to credential theft, unauthorized actions, and internal network pivoting.

Such impacts could compromise the confidentiality and integrity of sensitive user data, which may affect compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive information against unauthorized access and breaches.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart