CVE-2026-45307
Deferred Deferred - Pending Action
Speakr Open Redirect via Scheme-Relative URL in Redirect

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urljoin(request.host_url, target) before parsing, while the controller passed the raw target to redirect(). A scheme-relative input such as ////evil.com resolved to a same-host URL during validation but was emitted verbatim in the Location header, where the browser interpreted it as a network-path-relative redirect to an attacker-controlled host. This vulnerability is fixed in 0.8.20-alpha.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-45307
EUVD
EUVD-2026-32967
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
murtaza-nasir speakr to 0.8.20-alpha (exc)
murtaza-nasir speakr to 0.8.19-alpha (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45307 is a moderate severity vulnerability in the Speakr web application (versions up to 0.8.19-alpha) that allows open redirect attacks.

The issue occurs because the is_safe_url() function incorrectly validates scheme-relative URLs like ////evil.com. During validation, these URLs are treated as safe because they resolve to a same-host URL, but when used in the Location header for redirection, they are emitted verbatim. Browsers interpret these as network-path-relative redirects to attacker-controlled domains.

This mismatch between validation and actual redirect behavior enables attackers to craft malicious links that appear to come from a trusted Speakr deployment but redirect users to harmful sites.

Impact Analysis

This vulnerability can be exploited to perform phishing attacks by redirecting users from a trusted Speakr instance to attacker-controlled websites.

Because the redirect is triggered by user interaction (clicking a link), attackers can trick users into visiting malicious sites that may steal credentials, deliver malware, or perform other harmful actions.

The vulnerability has a CVSS score of 6.1, indicating moderate severity with network attack vector, low complexity, no privileges required, but user interaction needed and a scope change.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the Speakr application for suspicious redirect parameters, specifically the 'next' query parameter containing scheme-relative URLs such as those starting with '//' or '\\'.

You can use network traffic inspection tools or web server logs to identify requests where the 'next' parameter begins with these patterns, which indicate potential exploitation attempts.

  • Use grep or similar tools on web server logs to find requests with 'next' parameters starting with '//' or '\\':
  • grep -E 'next=(//|\\\\)' access.log
  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP requests containing suspicious 'next' parameters.
  • Implement web application firewall (WAF) rules to detect and alert on redirect parameters with scheme-relative URLs.
Mitigation Strategies

Immediate mitigation steps include upgrading Speakr to version 0.8.20-alpha or later, where the vulnerability is fixed by stricter validation of redirect targets.

If upgrading is not immediately possible, you can implement a reverse proxy to strip or block requests with 'next' query parameters that start with '//' or '\\', or contain URL schemes.

Additionally, blocking or filtering such requests at the web server or firewall level can reduce the risk of exploitation.

Compliance Impact

This vulnerability enables open redirect attacks that can be exploited for phishing, potentially leading to unauthorized redirection of users to attacker-controlled sites.

Such phishing attacks could result in unauthorized access to personal or sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user data and preventing unauthorized access.

However, the provided information does not explicitly state the direct impact of this vulnerability on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart