Low severity3.4NVD Advisory· Published May 8, 2026· Updated May 12, 2026

CVE-2026-42195

Description

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.

Affected products

Jgraph/Drawioinferred
Range: <29.7.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/jgraph/drawio/issues/493nvd
github.com/jgraph/drawio/releases/tag/v29.7.9nvd
github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8xnvd

News mentions

No linked articles in our index yet.

cvss	0.221
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000