Product
An unvalidated redirect vulnerability, CVE-2026-54072, in the Authorizer `/authorize` endpoint allows an unauthenticated attacker to steal OAuth2 access, ID, and refresh tokens by crafting a malicious URL with an attacker-controlled `redirect_uri` to which the application redirects a logged-in user, exposing their tokens.