Hi,
I found that 6 endpoints in Authorizer accept a user-controlled redirect_uri and append sensitive tokens to it without validating the URL against AllowedOrigins. The OAuth /app handler validates redirect_uri at http_handlers/app.go:46, but the GraphQL mutations and verify_email handler skip validation entirely. An attacker can steal password reset tokens, magic link tokens, and full auth sessions (access_token + id_token + refresh_token) by pointing redirect_uri to their server. Verified against HEAD (commit 73679fa).
internal/graphql/forgot_password.go:76-77) - password reset tokensinternal/graphql/magic_link_login.go:150-151) - magic link auth tokensinternal/graphql/signup.go:211-212) - email verification tokensinternal/graphql/invite_members.go:90-91) - invitation tokensinternal/http_handlers/oauth_login.go:18-20) - OAuth redirect stored in stateinternal/http_handlers/verify_email.go:27,178) - full auth tokens (access + id + refresh)Because these 6 endpoints completely lack the validators.IsValidOrigin() check, this vulnerability bypasses secure configurations. Even if a production administrator strictly configures AllowedOrigins to ["https://my-secure-app.com"], an attacker can still steal tokens by passing https://attacker.com to these specific GraphQL mutations. The validation only exists in the /app OAuth handler, not in any of the GraphQL mutations.
In forgot_password.go:76-77, the user-supplied redirect_uri is accepted without validation:
if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {
redirectURI = refs.StringValue(params.RedirectURI)
}
The reset token is appended to this URL at internal/utils/common.go:77:
func GetForgotPasswordURL(token, redirectURI string) string {
verificationURL :=...
0.0.0-20260329085140-6d9bef1aaba3Exploitability
AV:NAC:LAT:NPR:NUI:AVulnerable System
VC:HVI:HVA:HSubsequent System
SC:NSI:NSA:N8.6/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N