Executive Summary

CVE-2026-42259 is an open redirect vulnerability in Saltcorn, an open source no-code database application builder. The issue arises because Saltcorn's validation of the post-login destination URL (the 'dest' parameter) is incomplete. It only blocks certain patterns like ':/ ' and '//' but fails to block backslashes ('\'). Since modern browsers normalize backslashes to forward slashes, an attacker can craft a URL with a backslash that bypasses the check and causes the browser to redirect to an attacker-controlled domain after login.

This vulnerability can be triggered by tricking a user into logging in via a specially crafted Saltcorn URL. The vulnerable code decodes the destination parameter twice and redirects without properly encoding backslashes, allowing malicious redirects under the guise of a trusted Saltcorn domain.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to open redirect attacks where users are redirected to attacker-controlled websites after logging in. Such redirects can be used for credential phishing, where attackers impersonate legitimate sites to steal user credentials or other sensitive information.

Because the redirect appears to come from a trusted Saltcorn domain, users may be more likely to trust the malicious site, increasing the risk of successful phishing or other social engineering attacks.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring HTTP responses from Saltcorn servers for suspicious Location headers that contain backslashes (\) or unusual redirect destinations after login attempts.

You can use network traffic inspection tools like curl or tcpdump to capture and analyze HTTP redirects.

• Use curl to perform a login request with a crafted dest parameter and observe the Location header in the response, for example: curl -v 'https://your-saltcorn-instance/login?dest=/\evil.com/path'
• Use tcpdump or Wireshark to capture HTTP traffic and filter for HTTP 3xx responses with Location headers containing backslashes or unexpected domains.
• Check server-side logs for unusual redirect URLs or repeated login attempts with suspicious dest parameters.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Saltcorn to a patched version: 1.4.6, 1.5.6, or 1.6.0-beta.5 or later.

Until you can upgrade, consider implementing additional validation or filtering on the dest parameter to block backslashes and non-http(s) schemes before redirecting.

Educate users to be cautious about clicking on suspicious login URLs that may contain crafted dest parameters.

Monitor for unusual redirect behavior and consider temporarily disabling redirects based on user-supplied parameters if feasible.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Saltcorn allows an attacker to redirect users to malicious domains via crafted URLs after login, potentially enabling credential phishing or other malicious activities under the guise of a trusted domain.

Such unauthorized redirection and potential phishing risks could lead to unauthorized access or disclosure of personal or sensitive data, which may impact compliance with standards and regulations like GDPR or HIPAA that require protection of user data and prevention of phishing attacks.

However, the provided information does not explicitly state the direct impact on compliance with these regulations.

Useful 0 Not Useful 0