OAuth Vulnerability in draw.io by jgraph
CVE-2026-42195

3.4LOW

Key Information:

Vendor

Jgraph

Status
Drawio
Vendor
CVE Published:
8 May 2026

What is CVE-2026-42195?

A vulnerability exists in draw.io affecting OAuth sign-in, where the client improperly handles the ?gitlab= URL parameter, allowing attackers to redirect OAuth authorization requests to their own servers. This manipulation can lead to credential phishing, enabling attackers to capture user credentials and session state tokens. The issue has been resolved in version 29.7.9, and users are strongly advised to update to this version to mitigate potential risks.

Affected Version(s)

drawio < 29.7.9

References

https://github.com/jgraph/drawio/security/advisories/GHSA...
x_refsource_CONFIRM
https://github.com/jgraph/drawio/issues/493
x_refsource_MISC
https://github.com/jgraph/drawio/releases/tag/v29.7.9
x_refsource_MISC

CVSS V3.1

Score:
3.4
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.