CVE-2026-33213 in Redash
Summary
by MITRE • 07/15/2026
Redash is a package for data visualization and sharing. From 5.0.2 to 26.3.0, the get_next_path() function in Redash's authentication module stripped the scheme and netloc from user-supplied next parameters but did not normalize multiple leading slashes, allowing a crafted login URL such as /login?next=////evil.com to redirect users to an external attacker-controlled site after authentication.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability described represents a critical open redirect flaw in Redash's authentication system that affects versions between 5.0.2 and 26.3.0. This issue resides within the get_next_path() function located in the authentication module, where the application fails to properly sanitize user-supplied next parameters during the login redirection process. The flaw stems from incomplete input validation and sanitization mechanisms that strip only the scheme and network location components from URLs while leaving multiple leading slashes intact, creating a pathway for attackers to manipulate redirect behavior.
The technical implementation of this vulnerability exploits the difference between URL parsing and normalization behaviors in web applications. When users are redirected after authentication, the system processes the next parameter by removing the scheme such as http or https and the netloc portion containing the domain name. However, it leaves multiple consecutive forward slashes in place, which allows attackers to construct malicious URLs that appear legitimate but ultimately redirect to external domains. This specific implementation flaw creates a condition where the URL normalization process fails to properly canonicalize the path, enabling attackers to craft URLs such as /login?next=////evil.com that bypass normal security checks.
The operational impact of this vulnerability extends beyond simple unauthorized redirection, potentially enabling sophisticated phishing attacks and credential theft operations. Attackers can leverage this flaw to redirect authenticated users to malicious domains where they might attempt to capture credentials or deploy additional malware. The vulnerability affects the core authentication flow of Redash, making it particularly dangerous as it operates during the user login process when security controls are most critical. This type of open redirect vulnerability is classified under CWE-601 as URL Redirection to Untrusted Site ('Open Redirect') and aligns with ATT&CK technique T1566.002 for Phishing via Social Media, where attackers can manipulate legitimate authentication flows to direct users to malicious sites.
Security mitigations for this vulnerability require immediate implementation of proper URL normalization and validation procedures within the authentication module. Organizations should ensure that all user-supplied redirect parameters undergo comprehensive sanitization that includes removing or normalizing multiple leading slashes, canonicalizing URLs, and validating target domains against a whitelist of approved destinations. The fix should implement strict input validation that ensures next parameters only point to internal application paths or explicitly trusted external domains. Additionally, implementing proper logging and monitoring for unusual redirect patterns can help detect potential exploitation attempts, while regular security updates and penetration testing should verify that similar vulnerabilities do not exist in other parts of the authentication system. This remediation approach addresses both the immediate technical flaw and establishes defensive measures against related attack vectors.