CVE-2026-55806 in core
Summary
by MITRE • 07/11/2026
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.*, from 0.0.0 to 11.1.*.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/11/2026
The open redirect vulnerability in Drupal core represents a significant security flaw that enables attackers to manipulate user navigation through crafted URLs, potentially leading to content spoofing and phishing attacks. This vulnerability exists within the core framework's handling of URL redirection mechanisms, where input validation is insufficient to prevent malicious redirection attempts. The affected versions span multiple release branches including Drupal 10.x and 11.x, indicating a widespread impact across the platform's current development lineage. The vulnerability specifically affects versions ranging from 0.0.0 to 10.5.12, with additional affected ranges in the 10.6.x and 11.x series, demonstrating that this issue has persisted across multiple major releases.
The technical implementation of this vulnerability stems from inadequate sanitization of redirect URLs within Drupal's core components, particularly affecting the path handling and URL generation functions. When users encounter links that should redirect to trusted domains, malicious actors can exploit this weakness by crafting URLs that redirect to untrusted third-party sites. The flaw operates at the application layer where user input is processed without sufficient validation of destination URLs, allowing attackers to insert arbitrary domains into redirect parameters. This type of vulnerability maps directly to CWE-601, which specifically addresses open redirect vulnerabilities where applications fail to validate redirection targets. The underlying mechanism typically involves URL parsing functions that do not properly verify whether redirected destinations originate from trusted sources or are controlled by the application itself.
The operational impact of this vulnerability extends beyond simple content spoofing to encompass potential phishing attacks, credential theft, and user deception scenarios. Attackers can leverage this weakness to redirect users from legitimate Drupal sites to malicious domains designed to capture login credentials or personal information. The consequences include compromised user trust, potential data breaches, and reputational damage to organizations relying on affected Drupal installations. Users who click on manipulated links may unknowingly navigate to fraudulent websites that appear legitimate due to the initial trusted domain context. This vulnerability particularly affects web applications where users interact with external links or authentication flows, as these scenarios provide ideal attack vectors for executing successful open redirect attacks. The impact is further amplified by the fact that many Drupal installations may not have robust URL validation mechanisms in place, making them vulnerable to exploitation across various attack surfaces.
Mitigation strategies for this vulnerability require immediate implementation of input validation controls within Drupal core's redirection functionality. Organizations should prioritize updating to patched versions of Drupal where available, as these releases typically include enhanced URL sanitization and validation routines that prevent malicious redirects from being processed. The recommended approach involves implementing strict domain whitelisting for redirect destinations, ensuring that only predetermined trusted domains can receive redirect traffic. Security teams should also consider implementing additional monitoring controls to detect suspicious redirection patterns and establish automated alerting mechanisms for unusual redirect behaviors. From a defensive standpoint, organizations can implement Content Security Policy headers and browser-based protections that restrict the ability of external domains to receive redirects from their applications. The remediation process should include comprehensive testing of all redirection paths within the application to ensure that no bypass mechanisms exist, while also reviewing custom modules that may interact with Drupal's core redirect functionality. These measures align with ATT&CK technique T1566 which covers social engineering through phishing and malicious redirects, emphasizing the need for proactive defense against such exploitation vectors.