CVE-2026-11436: Reflected XSS in Mage AI Sign-In Flow (v0.9.79 and Earlier)
Mage AI versions up to 0.9.79 contain a reflected cross-site scripting (XSS) vulnerability in the sign-in flow. An attacker can craft a malicious URL with a manipulated redirect parameter that, when clicked by a user, executes JavaScript in the victim's browser within the context of the Mage AI application. The vulnerability requires user interaction—someone must click the malicious link—but no authentication is needed to trigger it. Public exploit details are now available.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
- Weaknesses (CWE)
- CWE-79, CWE-94
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-06 / 2026-06-17
NVD description (verbatim)
A vulnerability was detected in Mage AI up to 0.9.79. This impacts the function useMutation of the file mage_ai/frontend/components/Sessions/SignForm/index.tsx of the component Sign-in Flow. Performing a manipulation of the argument query.redirect_url results in cross site scripting. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the useMutation hook implementation within mage_ai/frontend/components/Sessions/SignForm/index.tsx. The query.redirect_url parameter is not properly sanitized before being used, allowing injection of arbitrary JavaScript. The attack vector is network-based with low complexity; the vulnerability chain involves both Improper Neutralization of Input During Web Page Generation (CWE-79) and Improper Control of Generation of Code (CWE-94). While the CVSS score of 4.3 reflects the requirement for user interaction and lack of confidentiality impact, the public availability of exploit details elevates practical risk.
Business impact
Organizations running Mage AI for data orchestration or workflow management face reputational and operational risk. A successful attack could compromise user sessions, steal authentication tokens, deface the application interface, or redirect users to phishing pages. If Mage AI is used in customer-facing or multi-tenant environments, the blast radius extends to end-users. The lack of vendor responsiveness suggests patches may be delayed or unavailable through official channels.
Affected systems
Mage AI versions 0.9.79 and earlier are confirmed vulnerable. The sign-in flow component affects all deployments where users authenticate. Web-based access to Mage AI—whether on-premises or cloud-hosted—is exploitable. Organizations should verify their installed version immediately; if running version 0.9.79 or below, assume exposure.
Exploitability
Exploitation is straightforward: an attacker constructs a URL embedding malicious JavaScript in the redirect_url query parameter and socializes it via email, chat, or other channels. When a user clicks the link and arrives at the Mage AI sign-in page, the payload executes in their browser. No special tools, authentication, or server-side tricks are required. The fact that exploits are publicly available means attackers have working proof-of-concepts and barrier to weaponization is negligible. User education remains a critical control, but cannot be the sole mitigation.
Remediation
Immediately update Mage AI to the latest available version beyond 0.9.79; verify the patch changelog confirms XSS remediation in the sign-in flow. If an update is not yet available from the vendor due to lack of response, implement a compensating control: deploy a Web Application Firewall (WAF) rule to detect and block requests with suspicious redirect_url parameters (e.g., those containing 'javascript:', 'onerror=', or other common XSS payloads). Additionally, enable Content Security Policy (CSP) headers to restrict inline script execution. These mitigations reduce risk but are not substitutes for patching.
Patch guidance
Check the Mage AI GitHub releases page and official documentation for versions newer than 0.9.79. Because the vendor reportedly did not respond to early disclosure, there is no coordinated release date provided. Once a patch is available, test it in a non-production environment to ensure compatibility with your configuration and dependent workflows. If no official patch is forthcoming within a reasonable timeframe (e.g., 30 days), escalate the matter to Mage AI maintainers via GitHub issues and consider alternative orchestration tools if security posture is critical to your organization.
Detection guidance
Search web server and application logs for GET or POST requests to the sign-in endpoint with redirect_url parameters containing encoded or unencoded JavaScript keywords (e.g., 'script', 'onerror', 'onload', 'eval'). Monitor for unusual redirect patterns that point to external or suspicious domains. If Mage AI logs user interactions, check for failed authentication attempts correlated with redirect_url manipulation. Deploy a WAF or SIEM rule to flag these patterns in real time. Endpoint detection can monitor for unusual JavaScript execution context originating from the Mage AI domain in user browsers.
Why prioritize this
Although the CVSS score is moderate (4.3), the combination of public exploit availability, low barrier to weaponization, and vendor unresponsiveness elevates practical urgency. The XSS can compromise user credentials, sessions, and trust. Organizations should prioritize patching within 1–2 weeks. If a patch is unavailable, implement WAF/CSP controls immediately to reduce surface exposure. This is not a critical zero-day requiring emergency response, but it is actionable and should not be deferred indefinitely.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects: Network Attack Vector (AV:N), Low Attack Complexity (AC:L), no privileges required (PR:N), user interaction required (UI:R), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), and no availability impact (A:N). The user interaction requirement caps the score; the attacker cannot unilaterally exploit this without victim action. However, integrity impact (ability to inject and execute scripts) is the core threat. The lack of a confidentiality or availability impact in the base vector understates the practical risk if the XSS is chained with session hijacking or credential theft.
Frequently asked questions
Can an attacker exploit this without a user clicking a link?
No. The vulnerability requires user interaction—specifically, the victim must click a malicious link or be redirected to a crafted URL. An attacker cannot trigger the XSS from a remote location without the victim's browser being involved. However, social engineering (phishing, pretexting) makes this a realistic attack scenario.
If we patch Mage AI, are we fully protected?
Patching the vulnerable versions is the primary remediation. Assuming the patch properly sanitizes the redirect_url parameter, it should eliminate the XSS vector. However, apply security best practices universally: enable CSP, use a WAF, educate users about phishing, and maintain regular security testing to catch similar issues.
What should we do if a patch is not available from the vendor?
Implement compensating controls: deploy a WAF to block requests with XSS-like payloads in the redirect_url, enforce a strict Content Security Policy to prevent inline script execution, and restrict outbound redirects to a whitelist of trusted domains. Monitor logs for suspicious activity. Simultaneously, engage Mage AI maintainers (via GitHub or support channels) to request a patch timeline. If unresponsive, consider migrating to an alternative orchestration platform if security is a primary concern.
Does this vulnerability steal data or crash the service?
No. The XSS does not directly cause data theft or service availability loss by itself. However, it can be weaponized to steal user credentials, hijack sessions, deface the UI, or redirect users to phishing sites. The integrity impact is the primary concern—attackers can manipulate what the victim sees and does within Mage AI after they authenticate.
This analysis is based on publicly disclosed information as of June 2026. CVSS scores, affected versions, and vendor responsiveness reflect the data available at publication. Organizations should verify patch availability and compatibility with their specific Mage AI deployment and configuration. This content is for informational purposes and does not constitute professional security advice. Consult with your security team and the vendor for definitive guidance. No exploit code or detailed attack instructions are provided herein. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10153MEDIUMCross-Site Scripting in westboy CicadasCMS Search Function
- CVE-2026-10173MEDIUMCross-Site Scripting in Orthanc Explorer 2 – Patch Guidance & Detection
- CVE-2026-10289MEDIUMXSS Vulnerability in Hotel and Tourism Reservation System 1.0
- CVE-2026-10301MEDIUMReflected XSS in itsourcecode Fees Management System 1.0 – Exploit Public
- CVE-2026-10810MEDIUMCross-Site Scripting in itsourcecode Fees Management System v1.0
- CVE-2026-11337MEDIUMReflected XSS in tittuvarghese CollegeManagementSystem – Risk Analysis & Remediation
- CVE-2026-10112LOWXSS in STUDENT-MANAGEMENT-SYSTEM 1.0 Dashboard
- CVE-2026-10228LOWXSS Vulnerability in raisulislamg4 Student Management System