CVE-2026-42195

low

Description

draw.io is a configurable diagramming and whiteboarding application. Prior to version 29.7.9, the draw.io client accepts a ?gitlab= URL parameter that overrides the GitLab server URL used during OAuth sign-in. A crafted link causes the user's click on draw.io's "Authorize in GitLab" dialog to open a popup on the attacker-controlled host instead of gitlab.com. This can lead to credential fishing and session state token exfiltration. This issue has been patched in version 29.7.9.

References

https://github.com/jgraph/drawio/security/advisories/GHSA-8x7j-m8px-7p8x

https://github.com/jgraph/drawio/releases/tag/v29.7.9

https://github.com/jgraph/drawio/issues/493

Details

Source: Mitre, NVD

Published: 2026-05-08

Updated: 2026-05-12

Risk Information

CVSS v2

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

Severity: Low

CVSS v3

Base Score: 3.4

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N

Severity: Low

EPSS

EPSS: 0.00028