CVE-2026-49826LOWCVSS 0.0

Concourse login flow has an open redirect issue

Published Jul 1, 2026·Updated Jul 1, 2026

Description

### Impact An attacker is able to craft and send a user a URL that will redirect the user from the Concourse web server to any other site. This could be used in a phishing attack to steal user's credentials. ### Patches This has been fixed in 8.2.3 ### Workarounds None. ### Exploit Vulnerable code was in: https://github.com/concourse/concourse/blob/ea7b812e3a88fdd070f0faece874e8a2d4fbb31c/skymarshal/skyserver/skyserver.go#L162-L170 The issue stems from the underlying processing logic of Go's `url` package. Normally, `ParseRequestURI()` will eventually reach an internal `url.setPath()` function, where the URL will be decoded. However, if `RawPath` is not empty and `validEncoded(RawPath)` is true, and the decoded result equals `Path`, then return `RawPath` as is; otherwise, escape `Path` again, i.e., decode it again. In other words, if the URL contains dangerous characters that should be escaped, such as backslashes (`\`), then an extra decoding step will be performed. Therefore, `/%2Fexample.com` will be parsed as `//example.com`. On vulnerable versions of Concourse, add `/sky/login?redirect_uri=/%252Fexample.com/\` to your Concourse external URL, login as usual, and you should be redirected to `example.com` instead of your Concourse web server. The redirect happens after the login flow completes. No credentials are leaked.

Affected Packages (1)

github.com/concourse/concourseGO
Fixed in 1.6.1-0.20260526150512-ac60be5f0435

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free