CVE-2026-50134
Received Received - Intake

HTTP 3xx Redirect Bypass in Hugo Static Site Generator

Vulnerability report for CVE-2026-50134, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: GitHub, Inc.

Description

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gohugoio hugo From 0.91.0 (inc) to 0.161.1 (inc)
gohugoio hugo 0.162.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability in Hugo affects the way it handles HTTP redirects when fetching remote resources using the resources.GetRemote function. Although Hugo enforces a security allow-list (security.http.urls) on the initial URL, it does not re-validate intermediate URLs during HTTP 3xx redirects. This means that a server allowed by the policy, or an attacker controlling that server's DNS or response, can redirect the request to a host that the policy was meant to forbid. As a result, Hugo may fetch resources from disallowed hosts, bypassing security restrictions.

The issue was fixed in Hugo version 0.162.0 by adding a CheckRedirect function to the HTTP client. This function validates each redirect URL against the allow-list and stops after 10 redirects to prevent infinite loops.

Impact Analysis

This vulnerability can allow an attacker to bypass security restrictions configured in Hugo's security.http.urls allow-list. By exploiting HTTP redirects, an attacker controlling an allowed server can redirect resource requests to forbidden hosts, such as localhost or internal IP addresses.

This bypass can lead to unauthorized access to internal resources or data that should be protected by the allow-list. It also invalidates any host-shape restrictions set by the operator, potentially exposing sensitive internal infrastructure or data.

Detection Guidance

This vulnerability involves HTTP redirects that bypass the security.http.urls allow-list in Hugo's resources.GetRemote function. Detection would involve monitoring HTTP requests made by Hugo for unexpected redirects to disallowed hosts.

Since the issue is related to HTTP 3xx redirects not being re-validated, you can detect potential exploitation by capturing and analyzing HTTP traffic from Hugo instances to identify redirect chains leading to hosts outside the allowed list.

Suggested commands include using network traffic analysis tools such as:

  • tcpdump or tshark to capture HTTP traffic from the system running Hugo, e.g., `tcpdump -i <interface> -A 'tcp port 80 or 443'`
  • curl with verbose output to manually test URLs Hugo fetches, e.g., `curl -v <URL>` to observe redirect chains
  • Using HTTP debugging proxies like mitmproxy or Fiddler to inspect redirect responses and verify if redirects lead to disallowed hosts

Additionally, reviewing Hugo logs or enabling debug logging may help identify calls to resources.GetRemote that result in redirects to unexpected hosts.

Mitigation Strategies

The vulnerability is fixed in Hugo version 0.162.0 by adding a CheckRedirect function that validates each redirect URL against the security.http.urls allow-list and limits redirects to 10 hops.

Immediate mitigation steps include:

  • Upgrade Hugo to version 0.162.0 or later, where the vulnerability is fixed.
  • No configuration changes are required for mitigation once upgraded.

Until the upgrade can be applied, consider restricting network access to trusted hosts and monitoring HTTP requests for suspicious redirects as a temporary measure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50134. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart