CVE-2026-10837
Received Received - Intake
Open Redirection in OpenProject

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Open redirection vulnerability due to insufficient validation of the X-Forwarded-Host HTTP header. An attacker could create manipulated links that, when opened by a victim, cause the victim to be redirected to domains controlled by the attacker, enabling phishing or deception attacks with limited impact on confidentiality and integrity.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-10837
EUVD
EUVD-2026-37679
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
incibe password_manager to 2025-08-06 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an open redirection flaw caused by insufficient validation of the X-Forwarded-Host HTTP header. An attacker can craft manipulated links that, when clicked by a victim, redirect them to attacker-controlled domains.

This redirection can be used for phishing or deception attacks, tricking users into visiting malicious sites.

Detection Guidance

This vulnerability involves manipulation of the X-Forwarded-Host HTTP header to cause open redirection. Detection can focus on monitoring HTTP requests for suspicious or unexpected values in the X-Forwarded-Host header.

You can use network monitoring tools or command-line utilities to inspect HTTP headers for unusual redirection patterns.

  • Use curl to send requests and observe the X-Forwarded-Host header behavior: curl -I -H "X-Forwarded-Host: attacker.com" http://target-application/
  • Use tcpdump or Wireshark to capture HTTP traffic and filter for requests containing the X-Forwarded-Host header.
  • Use grep or similar tools on server logs to search for suspicious X-Forwarded-Host header values that could indicate exploitation attempts.
Mitigation Strategies

The primary mitigation step is to update the affected Password Manager application to the latest version released on August 7, 2025, where the vulnerability has been fixed.

Additionally, ensure proper validation and sanitization of the X-Forwarded-Host HTTP header to prevent open redirection.

Consider implementing web application firewall (WAF) rules to detect and block suspicious redirection attempts involving manipulated headers.

Impact Analysis

The vulnerability can lead to phishing or deception attacks by redirecting users to malicious websites controlled by attackers.

The impact on confidentiality and integrity is limited, but users may be exposed to social engineering or fraud attempts.

Compliance Impact

This open redirection vulnerability could enable phishing or deception attacks by redirecting victims to attacker-controlled domains. While it has limited impact on confidentiality and integrity, such phishing risks may affect compliance with standards like GDPR or HIPAA that require protection of user data and prevention of unauthorized access or deception.

However, there is no explicit information in the provided context or resources about direct effects on compliance with GDPR, HIPAA, or other regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10837. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart