Discourse Open Redirect Vulnerability via sso_destination_url Cookie

An open redirect vulnerability has been identified in Discourse versions 2026.1.0-latest prior to 2026.1.3, 2026.2.0-latest prior to 2026.2.2, and 2026.3.0-latest prior to 2026.3.0. The issue arises in the StaticController's enter action, where the sso_destination_url cookie is read and used for redirection without proper validation of the URL. This vulnerability allows attackers to exploit the cookie, which can be set manually or through other vulnerabilities, to redirect users to malicious sites, potentially leading to phishing attacks.

Impact

Exploitation of this vulnerability allows for open redirects, where users are sent to an attacker-controlled URL after authentication. This could be used to facilitate phishing attacks.

Reproduction

To reproduce this vulnerability, first ensure that DiscourseConnect Provider is enabled. Set the sso_destination_url cookie to an arbitrary external URL. Then, authenticate via the /login endpoint. The application will redirect to the URL specified in the sso_destination_url cookie, regardless of its validity or safety.

Remediation

Users should upgrade to Discourse versions 2026.1.3, 2026.2.2, or 2026.3.0, all of which include the necessary security fix. If an immediate upgrade is not possible, DiscourseConnect Provider can be disabled as a temporary measure.