CVE-2026-42195
OAuth GitLab URL Override in draw.io
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| draw.io | draw.io | to 29.7.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in draw.io versions prior to 29.7.9. The draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. An attacker can craft a malicious link that causes the user, when clicking on draw.io's "Authorize in GitLab" dialog, to open a popup on an attacker-controlled host instead of the legitimate gitlab.com site.
This behavior can lead to credential phishing and the exfiltration of session state tokens, potentially compromising user accounts.
The issue was fixed in draw.io version 29.7.9.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in draw.io allows an attacker to trick users into authorizing OAuth sign-in through a malicious host, potentially leading to credential phishing and session token exfiltration.
Such unauthorized access to user credentials and session tokens could result in unauthorized access to personal or sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user authentication and session integrity.
However, the provided information does not explicitly state the direct impact on compliance with these standards.
How can this vulnerability impact me? :
The vulnerability can impact users by exposing them to credential phishing attacks. When a user clicks the compromised authorization dialog, their credentials or session tokens may be stolen by an attacker-controlled site.
This can lead to unauthorized access to the user's GitLab account or other linked services, potentially resulting in data theft or account compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the draw.io client to version 29.7.9 or later, where the issue has been patched.