Home

Description

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.

PUBLISHED Reserved 2026-04-25 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M




LOW: 3.4CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Problem types

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Product status

< 29.7.9
affected

References

github.com/...drawio/security/advisories/GHSA-8x7j-m8px-7p8x

github.com/jgraph/drawio/issues/493

github.com/jgraph/drawio/releases/tag/v29.7.9

cve.org (CVE-2026-42195)

nvd.nist.gov (CVE-2026-42195)

Download JSON