Open Redirect in btcpayserver/btcpayserver
Description
Open Redirect in GitHub repository btcpayserver/btcpayserver prior to 1.7.6.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
BTCPay Server before 1.7.6 has an open redirect vulnerability in `UrlHelperExtensions` that allows phishing to an attacker-controlled domain.
Vulnerability
BTCPay Server versions prior to 1.7.6 contain an open redirect vulnerability in the UrlHelperExtensions class [1]. The EnsureLocal method fails to properly validate URLs when the request's Host header is used for comparison, allowing an attacker to craft a malicious URL that appears local but redirects to an external site [2].
Exploitation
An attacker can exploit this by sending a link that passes the EnsureLocal check due to a flaw in the host comparison logic. No authentication is required, as the vulnerability is exposed through unauthenticated endpoints that use the affected method [2]. The attacker only needs to convince a user to click the crafted link.
Impact
Successful exploitation allows an attacker to redirect a victim to any external website, which can be used for phishing attacks to steal credentials or other sensitive information. The user may believe they are navigating within BTCPay Server when in fact they are being sent to a malicious site [2].
Mitigation
The vulnerability is fixed in BTCPay Server version 1.7.6, released on or around February 8, 2023 [1]. Users should upgrade to this version or later. No workarounds are documented in the available references [2].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.7.6+ 1 more
- (no CPE)range: <1.7.6
- (no CPE)range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.