CVE-2026-42565
Open Redirect in WorkOS AuthKit Session
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| workos | authkit-session | to 0.5.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is an open redirect that allows attackers to redirect users to external, attacker-controlled sites, potentially facilitating phishing or social engineering attacks.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, such phishing risks could indirectly impact compliance by exposing users to social engineering attacks that might lead to unauthorized access or data breaches.
Therefore, organizations using the affected versions should consider the risk of phishing facilitated by this vulnerability as a factor in their overall security posture and compliance efforts, especially where user data protection and privacy regulations apply.
Can you explain this vulnerability to me?
CVE-2026-42565 is an open redirect vulnerability in the @workos/authkit-session library, specifically in the AuthService.handleCallback function. The vulnerability occurs because the returnPathname value, which is derived from the OAuth state parameter, is not properly validated or sanitized. Since the state parameter is passed through the identity provider and can be influenced by an attacker, malicious values like full URLs or protocol-relative URLs can be injected. When the application uses this returnPathname directly in a redirect, it can cause users to be redirected to attacker-controlled external sites.
This vulnerability was fixed in version 0.5.1 by introducing a sanitization function that ensures the returnPathname is a safe, same-origin relative path starting with exactly one slash, preventing redirects to external origins.
How can this vulnerability impact me? :
This vulnerability can impact you by enabling attackers to redirect your users to malicious external websites after authentication. Such redirects can be used to conduct phishing or social engineering attacks, potentially tricking users into revealing sensitive information or credentials.
The vulnerability does not allow attackers to bypass authentication or disclose tokens directly, but it increases the risk of successful social engineering by exploiting trusted redirects within your application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an open redirect caused by insufficient validation of the returnPathname value derived from the OAuth state parameter in the @workos/authkit-session package prior to version 0.5.1.
To detect this vulnerability on your system, you should check if your application uses a vulnerable version of the @workos/authkit-session package (any version before 0.5.1) and if it uses the returnPathname value directly in redirects without validation.
Since the vulnerability is related to redirect URLs derived from OAuth state parameters, you can monitor network traffic or logs for suspicious redirect URLs that include external domains or unusual URL schemes.
Suggested commands to help detect potential exploitation or presence of the vulnerability include:
- Search your codebase for usage of AuthService.handleCallback or direct usage of returnPathname in redirects, e.g., using grep: `grep -r "handleCallback" ./` or `grep -r "returnPathname" ./`
- Check your package.json or lock files for the version of @workos/authkit-session: `npm list @workos/authkit-session` or `yarn list @workos/authkit-session`
- Monitor HTTP access logs or proxy logs for redirect responses (HTTP 3xx) with Location headers pointing to external or suspicious domains, e.g., using grep: `grep -i Location access.log | grep -E "https?://|//"`
- Use network traffic inspection tools (like Wireshark or tcpdump) to capture OAuth callback requests and responses, looking for state parameters that decode to external URLs.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the @workos/authkit-session package to version 0.5.1 or later, where the vulnerability has been fixed.
The fix involves sanitizing the returnPathname value to ensure it is a same-origin relative path beginning with exactly one slash, preventing redirects to external or attacker-controlled sites.
If upgrading immediately is not possible, implement strict validation or allowlisting of redirect URLs derived from the OAuth state parameter to ensure they do not point to external domains or use unsafe URL schemes.
Additionally, monitor and audit your application's redirect logic to ensure no untrusted input is used directly in redirects without proper sanitization.