CVE-2026-42565
Received Received - Intake
Open Redirect in WorkOS AuthKit Session

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
@workos/authkit-session is a toolkit for building WorkOS AuthKit framework integrations. Prior to 0.5.1, an open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The handleCallback function decodes and returns returnPathname without enforcing restrictions on origin or scheme. As a result, attacker-controlled values may be returned to the application. If this value is used directly in a redirect, it may cause the user to be redirected to an external, attacker-controlled site. This vulnerability is fixed in 0.5.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-06-21
AI Q&A
2026-05-12
EPSS Evaluated
2026-06-20
NVD
CVE-2026-42565
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
workos authkit-session to 0.5.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability is an open redirect that allows attackers to redirect users to external, attacker-controlled sites, potentially facilitating phishing or social engineering attacks.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such phishing risks could indirectly impact compliance by exposing users to social engineering attacks that might lead to unauthorized access or data breaches.

Therefore, organizations using the affected versions should consider the risk of phishing facilitated by this vulnerability as a factor in their overall security posture and compliance efforts, especially where user data protection and privacy regulations apply.

Executive Summary

CVE-2026-42565 is an open redirect vulnerability in the @workos/authkit-session library, specifically in the AuthService.handleCallback function. The vulnerability occurs because the returnPathname value, which is derived from the OAuth state parameter, is not properly validated or sanitized. Since the state parameter is passed through the identity provider and can be influenced by an attacker, malicious values like full URLs or protocol-relative URLs can be injected. When the application uses this returnPathname directly in a redirect, it can cause users to be redirected to attacker-controlled external sites.

This vulnerability was fixed in version 0.5.1 by introducing a sanitization function that ensures the returnPathname is a safe, same-origin relative path starting with exactly one slash, preventing redirects to external origins.

Impact Analysis

This vulnerability can impact you by enabling attackers to redirect your users to malicious external websites after authentication. Such redirects can be used to conduct phishing or social engineering attacks, potentially tricking users into revealing sensitive information or credentials.

The vulnerability does not allow attackers to bypass authentication or disclose tokens directly, but it increases the risk of successful social engineering by exploiting trusted redirects within your application.

Detection Guidance

This vulnerability involves an open redirect caused by insufficient validation of the returnPathname value derived from the OAuth state parameter in the @workos/authkit-session package prior to version 0.5.1.

To detect this vulnerability on your system, you should check if your application uses a vulnerable version of the @workos/authkit-session package (any version before 0.5.1) and if it uses the returnPathname value directly in redirects without validation.

Since the vulnerability is related to redirect URLs derived from OAuth state parameters, you can monitor network traffic or logs for suspicious redirect URLs that include external domains or unusual URL schemes.

Suggested commands to help detect potential exploitation or presence of the vulnerability include:

  • Search your codebase for usage of AuthService.handleCallback or direct usage of returnPathname in redirects, e.g., using grep: `grep -r "handleCallback" ./` or `grep -r "returnPathname" ./`
  • Check your package.json or lock files for the version of @workos/authkit-session: `npm list @workos/authkit-session` or `yarn list @workos/authkit-session`
  • Monitor HTTP access logs or proxy logs for redirect responses (HTTP 3xx) with Location headers pointing to external or suspicious domains, e.g., using grep: `grep -i Location access.log | grep -E "https?://|//"`
  • Use network traffic inspection tools (like Wireshark or tcpdump) to capture OAuth callback requests and responses, looking for state parameters that decode to external URLs.
Mitigation Strategies

The primary mitigation step is to upgrade the @workos/authkit-session package to version 0.5.1 or later, where the vulnerability has been fixed.

The fix involves sanitizing the returnPathname value to ensure it is a same-origin relative path beginning with exactly one slash, preventing redirects to external or attacker-controlled sites.

If upgrading immediately is not possible, implement strict validation or allowlisting of redirect URLs derived from the OAuth state parameter to ensure they do not point to external domains or use unsafe URL schemes.

Additionally, monitor and audit your application's redirect logic to ensure no untrusted input is used directly in redirects without proper sanitization.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42565. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart