MEDIUM 4.8

CVE-2026-28301: Open Redirect Vulnerability (MEDIUM CVSS 4.8)

CVE-2026-28301 is a URL redirection vulnerability that allows an attacker to craft a malicious link which, when followed by an authorized user, redirects them to an attacker-controlled website. The vulnerability requires an attacker to be on the same network segment as the target and needs a user with some level of system access to click the malicious link, but does not require the victim's interaction with a confirmation dialog. The attack results in confidentiality exposure rather than data modification or system unavailability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.8 MEDIUM · CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-601
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

A vulnerability in which an attacker can provide a crafted external URL that may redirect a user to an unintended website.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability implements an Open Redirect (CWE-601) flaw where insufficient input validation on external URLs allows an attacker to redirect authenticated users to arbitrary websites. The CVSS 3.1 vector (AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates the attack requires adjacent network access and high attack complexity, but once triggered, achieves high confidentiality impact. The absence of user interaction (UI:N) in the vector suggests the redirect executes automatically or through an unexpected mechanism, distinguishing this from typical phishing redirects that rely on user clicks.

Business impact

The primary business risk stems from potential information disclosure through forced redirection to attacker-controlled sites that can harvest credentials, capture session tokens, or exfiltrate sensitive data. The requirement for authenticated user access limits the attack surface to internal personnel or trusted partners. Organizations should assess whether their users routinely follow URLs from potentially untrusted sources within their trusted infrastructure, as this affects real-world exploitation likelihood.

Affected systems

The source data does not specify affected vendors or products. Organizations should cross-reference this CVE identifier with their vendor security bulletins and software bill of materials to determine exposure. Verify whether any systems in your environment that process or forward external URLs are vulnerable to open redirect attacks.

Exploitability

This vulnerability has a CVSS exploitability score reflecting moderate difficulty. The attacker must establish adjacent network access and the victim must have valid system credentials, raising the bar above purely external attacks. However, the high attack complexity mitigating factor suggests the technique may require specific conditions or configurations. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild has not been confirmed as of the publication date.

Remediation

Remediation should focus on input validation and URL sanitization. Implement strict allowlisting of permitted redirect destinations rather than blacklisting malicious patterns. Any external URL parameter should be validated against a known-good set of domains before processing. Additionally, review authentication token handling to ensure tokens cannot be harvested during redirects. Consult vendor security advisories for patch availability and specific remediation steps for your affected products.

Patch guidance

Check your vendor's security advisory website directly for patched versions and deployment timelines. Given the MEDIUM severity and lack of KEV listing, patching should be prioritized according to your organization's standard change management schedule, but should not be deferred indefinitely. Verify patch compatibility with your environment before production deployment. If your vendor has not issued a patch, implement compensating controls such as URL filtering or network segmentation to reduce exposure.

Detection guidance

Monitor for HTTP 302/301 redirect responses that forward authenticated sessions to external domains outside your allowlisted destination set. Log and alert on URL parameters that contain encoded or manipulated domain references. Endpoint detection systems should flag requests to known-attacker infrastructure domains that may be redirection targets. Review web proxy and firewall logs for unusual redirect patterns initiated from internal users on the affected system.

Why prioritize this

While the CVSS score is MEDIUM (4.8) and the vulnerability requires adjacent network access plus user credentials, the high confidentiality impact and potential for silent data exfiltration warrant attention. The lack of active exploitation (no KEV listing) allows time for deliberate patching, but organizations should not treat this as low-risk. Prioritize based on whether your environment meets the attack prerequisites: adjacent network access and the presence of authenticated users who may follow external links.

Risk score, explained

The score of 4.8 reflects the combination of high confidentiality impact offset by stringent access requirements. Adjacent network access (AV:A) and high attack complexity (AC:H) reduce exploitability compared to network-based attacks. The requirement for low privileges (PR:L) further narrows the attacker pool. However, the confidentiality impact rating remains high (C:H), preventing a lower overall score. This is appropriately classified as MEDIUM risk rather than HIGH, suitable for organizations with mature access controls and network segmentation.

Frequently asked questions

Does this vulnerability allow an attacker to modify data or crash the system?

No. The CVSS vector shows no integrity impact (I:N) and no availability impact (A:N). The vulnerability enables redirection to attacker sites, which could lead to credential theft or social engineering, but does not directly alter or delete data or cause denial of service.

Is this vulnerability being actively exploited?

As of the publication date, this vulnerability is not listed in the CISA KEV catalog, meaning widespread active exploitation has not been confirmed. However, the absence of KEV listing does not guarantee the vulnerability is unexploited; it reflects publicly available intelligence.

Can an attacker exploit this from the internet, or do they need to be on my network?

The attacker must have adjacent network access (AV:A), meaning they need to be on the same network segment or have a direct network path to the target. This is more restrictive than a purely external network-based attack, but does include scenarios where an attacker has compromised a system on your LAN.

What is the difference between this and a typical phishing redirect?

This vulnerability executes without user interaction (UI:N), meaning the redirect may happen automatically or through an unexpected code path. Traditional phishing requires a user to click a link. This suggests the affected system may redirect users without obvious warning, making it more dangerous in some contexts.

This analysis is provided for informational purposes and reflects publicly available information as of the modification date (2026-06-17). Vendor product information is not included in the source data; organizations must verify affected systems independently via vendor advisories and internal asset inventories. CVSS scores and vectors are based on CVSS 3.1 methodology and may not reflect organizational risk tolerance or business context. Consult official vendor guidance and engage internal risk stakeholders before making patching or remediation decisions. SEC.co makes no warranty regarding the completeness or timeliness of this intelligence. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).