CVE-2026-45307: Speakr Open Redirect Vulnerability in Post-Login Redirects
Speakr, a self-hosted audio transcription web application, contains an open redirect vulnerability in its post-login redirect logic. An attacker can craft a malicious URL that passes the application's safety validation but redirects authenticated users to an external attacker-controlled website. The flaw stems from a mismatch between how the validation function and the redirect function interpret scheme-relative URLs (those beginning with ////). The vulnerability affects versions prior to 0.8.20-alpha and is user-interaction dependent—victims must click a malicious link after logging in.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-601
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Speakr is a personal, self-hosted web application designed for transcribing audio recordings. Prior to 0.8.20-alpha, the is_safe_url() helper used to validate post-login redirect targets applied urljoin(request.host_url, target) before parsing, while the controller passed the raw target to redirect(). A scheme-relative input such as ////evil.com resolved to a same-host URL during validation but was emitted verbatim in the Location header, where the browser interpreted it as a network-path-relative redirect to an attacker-controlled host. This vulnerability is fixed in 0.8.20-alpha.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The is_safe_url() helper in affected versions applies urljoin(request.host_url, target) before validation, which resolves a scheme-relative input like ////evil.com to a same-host URL, passing the safety check. However, the controller then passes the raw, unvalidated target string directly to the redirect() function. Browsers interpret scheme-relative URLs (network-path-relative references) literally in the Location header, causing navigation to the attacker-supplied host despite the validator's approval. This is a classic open redirect stemming from inconsistent parsing logic between validation and action layers. The CWE-601 classification confirms the open redirect nature of the issue.
Business impact
Open redirects in authentication flows pose a credential theft and phishing risk. An attacker can combine this flaw with social engineering to redirect legitimate users to a spoofed login page after they authenticate with Speakr, harvesting passwords or session tokens. Even if users notice the redirect, trust in the application is eroded. For organizations deploying Speakr internally, this becomes a post-authentication attack vector that undermines security awareness—users may assume a redirect from the app is legitimate. The medium CVSS score reflects the requirement for user interaction and the fact that no confidentiality, integrity, or availability of the application itself is directly compromised; the attack targets downstream user trust.
Affected systems
Speakr versions prior to 0.8.20-alpha are affected. The vulnerability is present in self-hosted deployments of this audio transcription tool. Since Speakr is designed as a personal, self-hosted application, exposure depends on how widely it has been adopted in organizational or shared hosting environments. No vendor product entries are specified in the advisory, indicating a niche or early-stage project. Administrators running Speakr should verify their installed version immediately.
Exploitability
Exploitation requires user interaction—an attacker must social-engineer a victim into clicking a link containing the malicious scheme-relative payload (e.g., ////evil.com) after the victim has authenticated. The attack surface is the post-login redirect mechanism, typically used by applications to send users to a referrer page or dashboard. No authentication bypass is needed; the attacker relies on the user's existing session. The low barrier to crafting the malicious URL and the common practice of clicking links in emails or messages make this practical to exploit at scale. However, the attack does not grant automatic compromise; it depends on victim behavior post-redirect.
Remediation
Upgrade to Speakr version 0.8.20-alpha or later, which corrects the parsing mismatch between validation and redirect logic. Organizations deploying Speakr should prioritize this patch to eliminate the post-login redirect vector. If immediate patching is not feasible, consider implementing network-level controls to restrict outbound redirects or deploy a Web Application Firewall (WAF) rule to detect and block scheme-relative URLs in Location headers. User education on phishing and suspicious redirects provides a complementary control.
Patch guidance
Apply Speakr version 0.8.20-alpha or any subsequent stable release. Verify patch application by checking the application version in the settings or logs. If you are running Speakr in a containerized environment, rebuild your image with the patched version and redeploy. Test the post-login redirect behavior after patching to confirm the fix is in place. Check release notes for any breaking changes or additional configuration steps. If you maintain a fork or custom deployment of Speakr, review the fix in the upstream repository and backport if necessary.
Detection guidance
Monitor HTTP access logs and security event logs for anomalous Location header values, particularly those containing scheme-relative URLs or unexpected external hosts in redirect responses. Look for requests with payloads like ////evil.com or //evil.com in query parameters tied to redirect or referrer functionality. If you have endpoint detection and response (EDR) or SIEM integration, create alerts for outbound HTTPS connections initiated by users immediately after POST requests to login or authentication endpoints—this pattern may indicate a successful open redirect exploitation. Web application firewalls can be tuned to flag or block responses with suspicious Location headers. Code review of any custom Speakr extensions or integrations should verify that redirect logic properly validates and canonicalizes URLs.
Why prioritize this
While the CVSS score is medium (6.1) and the attack requires user interaction, open redirects in authentication flows warrant prompt attention because they directly enable credential theft and phishing—attacks that often precede larger security incidents. The simplicity of exploitation and the trust relationship users have with post-login redirects amplify business risk despite moderate technical severity. Speakr is self-hosted, so exposure is limited to organizations that have adopted it, but those that have should treat this as a near-term patch priority. The fix is available and straightforward; delaying creates unnecessary risk for a relatively easy remediation.
Risk score, explained
The CVSS 3.1 score of 6.1 (MEDIUM) reflects: a network-accessible attack vector, low attack complexity (the payload is simple to craft), no privilege requirement, user interaction dependency (victim must click the link), changed scope (the attack affects trust boundary between app and user), and low impact to confidentiality and integrity of the application itself. The score does not fully capture the downstream credential theft risk, which is contextual and organization-dependent. In environments where users are highly susceptible to phishing or where Speakr serves sensitive audio content, the real-world risk may exceed the base score; conversely, in security-aware organizations with MFA and user education, the risk may be lower.
Frequently asked questions
How does an attacker exploit this vulnerability?
An attacker crafts a URL containing a scheme-relative redirect target (e.g., https://your-speakr.com/login?next=////evil.com) and sends it to a user via email or message. After the user logs in, Speakr redirects them to evil.com. The attacker can then present a spoofed login page to harvest credentials or steal the session cookie if the user is redirected back to a phishing site mimicking Speakr.
Do I need to upgrade if I don't use post-login redirects?
Most web applications use post-login redirects to send users to a return page or dashboard. Unless you have explicitly disabled this feature in Speakr, you should assume your deployment is affected and upgrade to 0.8.20-alpha or later.
Can this vulnerability be exploited without clicking a link?
No. The attack requires user interaction—the victim must click the malicious link while authenticated (or authenticate via the link). An attacker cannot force a redirect through passive means like DNS or network-layer attacks. However, the low barrier to social engineering makes this a practical attack vector.
Are there any workarounds if I cannot patch immediately?
Configure your reverse proxy or WAF to validate or sanitize Location headers, blocking responses with scheme-relative URLs or unexpected external hosts. Implement strict Content-Security-Policy headers to restrict redirect targets. Monitor logs for suspicious redirect attempts. These are temporary measures; patching should remain the priority.
This analysis is provided for informational purposes and reflects publicly available information about CVE-2026-45307 as of the publication date. While we have made reasonable efforts to ensure accuracy, SEC.co does not warrant the completeness or accuracy of this information. Organizations should verify patch availability, compatibility, and deployment requirements by consulting the official Speakr advisory and release notes. This document does not constitute legal, compliance, or security advice; security teams should conduct their own risk assessment based on their specific environment and threat landscape. Exploit code, detailed attack chains, or weaponized proof-of-concept demonstrations are not provided. Always test patches in a non-production environment before deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10856MEDIUMMISP Dashboard URL Validation Bypass – Phishing Risk
- CVE-2026-10861MEDIUMMISP Open Redirect Vulnerability in Post-Login Flow
- CVE-2026-40181MEDIUMReact Router Open Redirect Vulnerability (v6 & v7)
- CVE-2026-41569MEDIUMauthentik WS-Federation URL Validation Bypass Leading to Credential Theft
- CVE-2026-40961HIGHApache Airflow Open Redirect Vulnerability (CVSS 7.2)
- CVE-2026-45278LOWNextcloud OIDC Open Redirect Vulnerability – Patch Available
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset