CVE-2020-26877
Description
ApiFest OAuth 2.0 Server 0.3.1 does not validate the redirect URI in accordance with RFC 6749 and is susceptible to an open redirector attack. Specifically, it directly sends an authorization code to the redirect URI submitted with the authorization request, without checking whether the redirect URI is registered by the client who initiated the request. This allows an attacker to craft a request with a manipulated redirect URI (redirect_uri parameter), which is under the attacker's control, and consequently obtain the leaked authorization code when the server redirects the client to the manipulated redirect URI with an authorization code. NOTE: this is similar to CVE-2019-3778.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ApiFest OAuth 2.0 Server 0.3.1 fails to validate redirect URIs, enabling an open redirect that leaks authorization codes to attacker-controlled endpoints.
Vulnerability
ApiFest OAuth 2.0 Server version 0.3.1 does not validate the redirect_uri parameter against registered client URIs as required by RFC 6749 [1]. Consequently, an authorization code is sent to any URI supplied in the authorization request, even if it does not belong to the legitimate client. This violates OAuth 2.0 specification section 3.1.2.3 [1].
Exploitation
An attacker can craft an authorization request with a manipulated redirect_uri pointing to an attacker-controlled endpoint. When the legitimate user authorizes, the server redirects the browser to the attacker's URI with the authorization code appended. No authentication or prior access is needed for the attacker beyond the ability to initiate the authorization flow.
Impact
Successful exploitation allows the attacker to capture the authorization code. Combined with the client credentials (if known) or by other means, the attacker could potentially exchange the code for an access token, leading to unauthorized access to the user's resources. The attack compromises confidentiality and may enable further account takeover.
Mitigation
No updated version has been released addressing this issue. The project appears to be unmaintained; the GitHub repository [2] shows no recent activity. As a workaround, implement custom validation of the redirect_uri in the authorization endpoint, or switch to a maintained OAuth 2.0 server. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ApiFest/OAuth 2.0 Serverdescription
- Range: =0.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.apifest.org/index.htmlmitrex_refsource_MISC
- tools.ietf.org/html/rfc6749mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.