Open Redirect Vulnerability in AFFiNE by ToEverything
CVE-2026-25477

6.9MEDIUM

Key Information:

Vendor: Toeverything
Status: Affine
Vendor: CVE Published:; 2 March 2026

🔔 Create Toeverything Vulnerability Alert

What is CVE-2026-25477?

The AFFiNE platform, an open-source workspace solution, contains an Open Redirect vulnerability in versions before 0.26.0. This flaw is attributed to insufficient validation logic within the domain-checking process at the /redirect-proxy endpoint. Attackers can exploit this issue by utilizing specially crafted domains that, while appearing to match an allowed format, actually contain malicious components. Users are encouraged to update to version 0.26.0 or later to mitigate these risks and enhance their security posture.

Affected Version(s)

AFFiNE < 0.26.0

References

https://github.com/toeverything/AFFiNE/security/advisorie...

x_refsource_CONFIRM

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 2, 2026
Vulnerability Reserved
Feb 2, 2026

CVE-2026-25477 Data

JSON