CVE-2026-42195
3.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
Summary
draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| jgraph | drawio | < 29.7.9 | affected |
Weaknesses
- CWE-601: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- CWE-200: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x
- https://github.com/jgraph/drawio/issues/493
- https://github.com/jgraph/drawio/releases/tag/v29.7.9
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.