Open redirect in user_saml via RelayState parameter in Nextcloud User Saml
Description
Nextcloud User Saml is an app for authenticating Nextcloud users using SAML. In affected versions users can be given a link to the Nextcloud server and end up on a uncontrolled thirdparty server. It is recommended that the User Saml app is upgraded to version 5.1.5, 5.2.5, or 6.0.1. There are no known workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- nextcloud/security-advisoriesv5Range: >= 5.0.0, < 5.1.5
Patches
Vulnerability mechanics
Root cause
"Missing validation of the `originalUrl` parameter allows untrusted redirects."
Attack vector
An attacker can craft a link to a Nextcloud server's SAML login endpoint that includes an `originalUrl` query parameter pointing to an attacker-controlled third-party server [ref_id=1]. When a victim follows this link and completes the authentication flow, the application redirects them to the untrusted URL, resulting in an open redirect vulnerability. No special privileges or network position beyond crafting a hyperlink is required.
Affected code
The `login()` method in `SAMLController` (likely `lib/Controller/SAMLController.php` in the `user_saml` app) reads the `originalUrl` parameter from the HTTP request without validating it. The patch [ref_id=1] adds a check using `ITrustedDomainHelper::isTrustedUrl()` to reject untrusted URLs before using them as redirect targets or return URLs.
What the fix does
The patch [ref_id=1] introduces an `ITrustedDomainHelper` dependency and calls `isTrustedUrl()` on the `originalUrl` parameter. If the URL is not trusted, it is replaced with an empty string, so the subsequent redirect logic falls back to a safe default route (e.g., the login route itself or the app's root URL). This ensures that only URLs belonging to trusted domains are accepted as redirect targets, closing the open redirection vector.
Preconditions
- inputThe attacker must be able to provide a link to the Nextcloud server's SAML login endpoint with a crafted originalUrl parameter.
- configThe SAML app must be configured with the 'saml' or 'environment-variable' authentication type (any type that uses the originalUrl parameter in the login flow).
- authThe victim must click the crafted link and complete the SAML authentication flow (the redirect happens after the login process).
Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/nextcloud/security-advisories/security/advisories/GHSA-622q-xhfr-xmv7mitrex_refsource_CONFIRM
- github.com/nextcloud/user_saml/commit/b184304a476deeba36e92b70562d5de7c2f85f8amitrex_refsource_MISC
- github.com/nextcloud/user_saml/pull/788mitrex_refsource_MISC
- hackerone.com/reports/2263044mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.