CVE-2026-42195
Received Received - Intake
OAuth GitLab URL Override in draw.io

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-09
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42195
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
draw.io draw.io to 29.7.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in draw.io allows an attacker to trick users into authorizing OAuth sign-in through a malicious host, potentially leading to credential phishing and session token exfiltration.

Such unauthorized access to user credentials and session tokens could result in unauthorized access to personal or sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user authentication and session integrity.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Executive Summary

This vulnerability exists in draw.io versions prior to 29.7.9. The draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. An attacker can craft a malicious link that causes the user, when clicking on draw.io's "Authorize in GitLab" dialog, to open a popup on an attacker-controlled host instead of the legitimate gitlab.com site.

This behavior can lead to credential phishing and the exfiltration of session state tokens, potentially compromising user accounts.

The issue was fixed in draw.io version 29.7.9.

Impact Analysis

The vulnerability can impact users by exposing them to credential phishing attacks. When a user clicks the compromised authorization dialog, their credentials or session tokens may be stolen by an attacker-controlled site.

This can lead to unauthorized access to the user's GitLab account or other linked services, potentially resulting in data theft or account compromise.

Mitigation Strategies

To mitigate this vulnerability, update the draw.io client to version 29.7.9 or later, where the issue has been patched.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42195. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart