CVE-2026-25477

AFFiNE <0.26.0 - Open Redirect

Title source: llm

Description

AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.26.0, there is an Open Redirect vulnerability located at the /redirect-proxy endpoint. The flaw exists in the domain validation logic, where an improperly anchored Regular Expression allows an attacker to bypass the whitelist by using malicious domains that end with a trusted string. This issue has been patched in version 0.26.0.

References (1)

[Vendor Advisory] https://github.com/toeverything/AFFiNE/security/advisories/GHSA-wx9m-v7wq-g289

Scores

EPSS 0.0005

EPSS Percentile 16.6%

Classification

CWE

CWE-601

Status draft

Timeline

Published Mar 02, 2026

Tracked Since Mar 03, 2026