Summary
An open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter.
The state parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The handleCallback function decodes and returns returnPathname without enforcing restrictions on origin or scheme. As a result, attacker-controlled values (e.g., https://evil.com/, //evil.com, or similar variants) may be returned to the application.
If this value is used directly in a redirect (e.g., via an HTTP Location header, framework redirect helpers, or client-side navigation), it may cause the user to be redirected to an external, attacker-controlled site.
Security Impact
This issue may be used to facilitate phishing or user redirection attacks by leveraging the trust of the originating domain. For example, an attacker could craft a link that directs a user through a legitimate authentication flow and then redirects them to an external site.
The severity depends on how returnPathname is used by the application. Exploitation requires:
- The application to use
returnPathnameas a redirect target, and - The absence of downstream validation or allowlisting
This vulnerability does not enable authentication bypass, token disclosure, or direct account compromise on its own, but may increase the effectiveness of social engineering attacks when combined with user interaction.
Vulnerability Type
CWE-601: URL Redirection to Untrusted Site (Open Redirect)
Patches
Patched in https://github.com/workos/authkit-session/releases/tag/v0.5.1
Impact
Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites. Typical impact: phishing and credential harvesting via a trusted domain.
CVE-2026-42565 has a CVSS score of 4.3 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (0.5.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2026-42565? CVE-2026-42565 is a medium-severity open redirect vulnerability in @workos/authkit-session (npm), affecting versions < 0.5.1. It is fixed in 0.5.1. Untrusted input controls a URL used for redirection, which can forward users to attacker-controlled sites.
- How severe is CVE-2026-42565? CVE-2026-42565 has a CVSS score of 4.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @workos/authkit-session are affected by CVE-2026-42565? @workos/authkit-session (npm) versions < 0.5.1 is affected.
- Is there a fix for CVE-2026-42565? Yes. CVE-2026-42565 is fixed in 0.5.1. Upgrade to this version or later.
- Is CVE-2026-42565 exploitable, and should I be worried? Whether CVE-2026-42565 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-42565 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-42565? Upgrade
@workos/authkit-sessionto 0.5.1 or later.