CVE-2026-50134 in Hugoinfo

Summary

by MITRE • 07/06/2026

Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability in Hugo static site generator affects versions between 0.91.0 and 0.162.0, specifically within the resources.GetRemote functionality that handles remote resource fetching operations. This flaw represents a critical security oversight in the application's URL validation mechanism where the system properly validates the initial target URL against configured security policies but fails to re-validate subsequent URLs encountered during HTTP redirect chains. The vulnerability stems from the absence of intermediate URL verification during 3xx redirect handling, creating a path for malicious actors to bypass intended access controls through carefully crafted redirect sequences.

The technical implementation flaw occurs in how Hugo processes HTTP redirects when fetching remote resources, where the system applies security.http.urls policies only to the original request URL rather than maintaining validation throughout the entire redirect chain. This behavior creates a security boundary violation that allows attackers to exploit DNS hijacking or malicious server responses to redirect requests through allowed domains to forbidden destinations. The vulnerability specifically affects the host-shape restrictions that operators configure to control which external hosts their applications can access, effectively nullifying these protective measures when redirects occur.

From an operational impact perspective, this vulnerability enables arbitrary remote code execution and data exfiltration capabilities for attackers who can manipulate DNS records or control intermediate servers in the redirect chain. The bypass allows malicious actors to circumvent network security policies that should prevent access to internal systems, malicious domains, or unauthorized external resources. This weakness particularly impacts organizations relying on Hugo for content generation where security policies are enforced through domain whitelisting mechanisms, as the vulnerability undermines these fundamental controls.

Security researchers categorize this vulnerability under CWE-20: Improper Input Validation, specifically addressing inadequate validation of redirect paths in web applications. The flaw aligns with ATT&CK technique T1071.004: Application Layer Protocol: DNS, where attackers manipulate domain name resolution to bypass access controls. Organizations using Hugo in production environments face significant risk exposure, particularly those with strict network segmentation policies or zero-trust architectures that depend on proper URL validation. The vulnerability demonstrates the importance of implementing comprehensive redirect validation across all network request paths rather than relying on single-point validation mechanisms.

The fix implemented in version 0.162.0 addresses this by enforcing consistent policy validation throughout the entire redirect chain, ensuring that each intermediate URL in a redirect sequence undergoes the same security checks as the original target. This remediation aligns with security best practices for web application development and reinforces the principle of least privilege through proper input sanitization. Organizations should immediately upgrade to version 0.162.0 or later to mitigate this vulnerability, while also reviewing their existing security policies to ensure that redirect handling is properly configured in their Hugo deployment environments. The fix represents a critical improvement in the application's security posture and demonstrates the importance of comprehensive validation mechanisms in web applications that handle external resource fetching operations.

Responsible

GitHub M

Reservation

06/03/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!