Redash Open Redirect Vulnerability in Authentication Module

Vulnerability

An open redirect vulnerability has been identified in Redash versions 5.0.2 through 26.3.0. The issue arises in the authentication module's get_next_path() function, which improperly handles user-supplied next parameters. While the function strips the scheme and netloc, it fails to normalize multiple leading slashes. This oversight allows crafted login URLs to redirect users to external, attacker-controlled sites after authentication. The vulnerability affects all authentication methods, including password login, Google OAuth, LDAP, and remote user authentication.

Impact

Exploitation of this vulnerability allows for open redirection, where users are sent to a malicious site after logging in, potentially leading to phishing or credential theft.

Reproduction

To reproduce this vulnerability, log into a Redash instance using any authentication method. After logging in, the next parameter in the login URL can be set to a value like '////evil.com'. Once authenticated, the user will be redirected to the specified external site, bypassing the application's intended redirect behavior.

Remediation

Users can upgrade to Redash version 26.3.1, which includes the patch for this vulnerability. If an upgrade is not possible, the patch can be manually applied to the redash/authentication/__init__.py file by collapsing multiple leading slashes in the get_next_path() function.

Added: Jul 15, 2026, 3:47 PM
Updated: Jul 15, 2026, 3:47 PM

Vulnerability Rating

Custom Algorithm
spread
1.9
impact
0.2
exploitability
7.2
remediation
7.7
relevance
9.7
threat
4.8
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.