Intel

AIKIDO-2026-295878

Microsoft.Identity.Web is vulnerable to Open Redirect

Open Redirect Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

65

Medium Risk

This Affects:

DOTNETMicrosoft.Identity.Web
3.0.0 - 3.14.0
Fixed in 3.15.0
4.0.0 - 4.8.0
Fixed in 4.9.0
Are you affected? Scan for Free

TL;DR

In Microsoft.Identity.Web, the redirectUri handling in /MicrosoftIdentity/Account/Challenge was hardened to allow only same-origin values and to reject encoded/proxy-bypass paths (%2f, %5c, etc.), preventing open-redirect/protocol-relative bypasses.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

Microsoft.Identity.Web is vulnerable to Open Redirect in versions 3.0.0 - 3.14.0 and 4.0.0 - 4.8.0.

How to fix this

Upgrade the Microsoft.Identity.Web library to the patch version.