CVE-2026-56326
Analyzed Analyzed - Analysis Complete

Open Redirect in Nuxt.js via Path Normalization

Vulnerability report for CVE-2026-56326, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-25

Assigner: VulnCheck

Description

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-25
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
nuxt nuxt From 4.0.0 (inc) to 4.4.7 (exc)
nuxt nuxt From 3.0.0 (inc) to 3.21.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7. It is a server-side open redirect issue in the navigateTo function, which fails to properly validate certain path-normalized payloads such as /..//evil.com and /.//evil.com.

Attackers can exploit this flaw by bypassing external-host checks using path-normalization techniques, allowing them to redirect users to attacker-controlled websites via the Location header or meta-refresh.

This can be used to facilitate phishing attacks and theft of OAuth authorization codes.

Impact Analysis

The vulnerability can impact you by enabling attackers to redirect your users to malicious websites without proper validation.

This can lead to phishing attacks where users are tricked into providing sensitive information.

Additionally, attackers can steal OAuth authorization codes, potentially compromising user accounts and access.

Compliance Impact

The vulnerability allows attackers to redirect users to malicious external sites via open redirect flaws in Nuxt's navigateTo function. This can enable phishing attacks and OAuth authorization-code theft.

Such phishing and authorization-code theft risks can lead to unauthorized access to personal or sensitive data, potentially violating data protection regulations like GDPR or HIPAA that require safeguarding user data and preventing unauthorized access.

Therefore, if exploited, this vulnerability could undermine compliance with standards that mandate secure handling of user data and protection against phishing and credential theft.

Detection Guidance

This vulnerability involves open redirects via path-normalization bypasses in Nuxt's navigateTo function, which can be detected by monitoring for suspicious redirect patterns in HTTP responses.

Specifically, look for Location headers or meta-refresh tags containing path-normalized payloads such as "/..//evil.com" or "/.//evil.com" that redirect users to external or attacker-controlled domains.

On your network or system, you can detect exploitation attempts by capturing and inspecting HTTP traffic for such redirect patterns.

  • Use network packet capture tools like tcpdump or Wireshark to filter HTTP responses with Location headers containing suspicious paths, e.g.:
  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Location: /..//'
  • Use web server or application logs to search for requests or responses with redirect URLs containing path normalization bypass patterns, e.g.:
  • grep -E 'Location: /\.\./|Location: /\.//' /var/log/nginx/access.log

Additionally, review application code or runtime behavior for usage of the vulnerable navigateTo function in affected Nuxt versions.

Mitigation Strategies

The primary mitigation is to upgrade Nuxt to a patched version: 4.4.7 or later for the 4.x branch, or 3.21.7 or later for the 3.x branch.

These versions include fixes that properly validate and normalize redirect paths, preventing open redirect attacks via path normalization bypass.

If immediate upgrade is not possible, apply workarounds such as:

  • Validate redirect targets strictly to ensure they are same-origin and do not start with multiple slashes or protocol-relative URLs.
  • Reject or sanitize redirect paths containing path traversal sequences like "/..//" or "/.//".
  • Avoid using the vulnerable navigateTo and reloadNuxtApp functions with untrusted input.

Monitoring and logging redirect behavior can also help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-56326. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart