CVE-2026-56326

MEDIUM

Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo

Title source: cna
STIX 2.1

Description

Nuxt versions 4.0.0 before 4.4.7 and 3.x before 3.21.7 contain a server-side open redirect vulnerability in navigateTo that fails to properly validate path-normalized payloads like /..//evil.com and /.//evil.com. Attackers can bypass external-host checks using path-normalization techniques to redirect users to attacker-controlled sites via the Location header or meta-refresh, enabling phishing and OAuth authorization-code theft.

References (4)

Core 4
Core References
Third Party Advisory third-party-advisory
VulnCheck Advisory: Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo
https://www.vulncheck.com/advisories/nuxt-server-side-open-redirect-via-path-normalization-bypass-in-navigateto
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-c9cv-mq2m-ppp3)
https://github.com/nuxt/nuxt/security/advisories/GHSA-c9cv-mq2m-ppp3

Scores

CVSS v3 6.1
EPSS 0.0021
EPSS Percentile 10.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-601
Status published
Products (7)
npm/nuxt 0 - 3.21.7npm
npm/nuxt 4.0.0 - 4.4.7npm
Nuxt/Nuxt < 3.21.7
nuxt/nuxt 3.0.0 - 3.21.7
Nuxt/Nuxt 3.21.7
Nuxt/Nuxt 4.0.0 - 4.4.7
Nuxt/Nuxt 4.4.7
Published Jun 22, 2026
Tracked Since Jun 23, 2026