{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-44889", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-07T21:50:33.545Z", "datePublished": "2026-06-22T21:30:11.789Z", "dateUpdated": "2026-06-23T15:05:27.698Z"}, "containers": {"cna": {"title": "WebOb: Location header normalization during redirect leads to open redirect", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95"}], "affected": [{"vendor": "Pylons", "product": "webob", "versions": [{"version": "< 1.8.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T21:30:11.789Z"}, "descriptions": [{"lang": "en", "value": "WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences the redirect location to send users to an arbitrary external site instead of the intended one. This vulnerability is fixed in 1.8.10."}], "source": {"advisory": "GHSA-fh3h-vg37-cc95", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-23T14:58:48.576241Z", "id": "CVE-2026-44889", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T15:05:27.698Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-44889", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T14:58:48.576241Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-23T14:58:52.123Z"}}], "cna": {"title": "WebOb: Location header normalization during redirect leads to open redirect", "source": {"advisory": "GHSA-fh3h-vg37-cc95", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "Pylons", "product": "webob", "versions": [{"status": "affected", "version": "< 1.8.10"}]}], "references": [{"url": "https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95", "name": "https://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "WebOb provides objects for HTTP requests and responses. Prior to 1.8.10, the normalization of the HTTP Location header during a redirect is vulnerable to an open redirect: WebOb joins the redirect target to the request URI using Python's urljoin, and since Python 3.10 the underlying urlsplit strips ASCII tab, carriage return, and newline characters before parsing, so a redirect target containing such characters can be reinterpreted as a protocol-relative URL whose authority is an attacker-controlled host. This bypasses the CVE-2024-42353 fix that escaped a leading double slash, allowing an attacker who influences the redirect location to send users to an arbitrary external site instead of the intended one. This vulnerability is fixed in 1.8.10."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-22T21:30:11.789Z"}}}, "cveMetadata": {"cveId": "CVE-2026-44889", "state": "PUBLISHED", "dateUpdated": "2026-06-23T15:05:27.698Z", "dateReserved": "2026-05-07T21:50:33.545Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-06-22T21:30:11.789Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{}

{"bugzilla": {"description": "webob: python-webob: WebOb: Open Redirect vulnerability via HTTP Location header normalization", "id": "2491570", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2491570"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-601", "details": ["A flaw was found in WebOb, a library for HTTP requests and responses. A remote attacker could exploit this vulnerability by influencing the HTTP Location header during a redirect. Due to improper normalization of the Location header, specifically how certain ASCII characters are handled, an attacker can cause a user to be redirected to an arbitrary external website instead of the intended destination. This open redirect vulnerability can lead to information disclosure and impact the integrity of user sessions."], "mitigation": {"lang": "en:us", "value": "This vulnerability in WebOb is only exploitable when running under Python 3.10 or later, where urllib.parse.urlsplit strips ASCII tab, carriage return, and newline characters before parsing. Red Hat Enterprise Linux, OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Ceph Storage, and Red Hat Quay all ship python-webob with Python 3.9 or earlier as the platform Python runtime, and are therefore not affected by this vulnerability. Fedora and EPEL ship python-webob under Python 3.12+, where the vulnerability is exploitable. Users running WebOb on Python 3.10+ should upgrade to WebOb 1.8.10. As a workaround, applications can validate that redirect targets start with a scheme (e.g. http:// or https://) and the expected host before assigning to Response.location."}, "name": "CVE-2026-44889", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:4", "fix_state": "Not affected", "package_name": "python-webob", "product_name": "Red Hat Ceph Storage 4"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python-webob", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-webob", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "python-webob", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:16.2", "fix_state": "Not affected", "package_name": "python-webob", "product_name": "Red Hat OpenStack Platform 16.2"}, {"cpe": "cpe:/a:redhat:openstack:17.1", "fix_state": "Not affected", "package_name": "python-webob", "product_name": "Red Hat OpenStack Platform 17.1"}, {"cpe": "cpe:/a:redhat:openstack:18.0", "fix_state": "Not affected", "package_name": "python-webob", "product_name": "Red Hat OpenStack Platform 18.0"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel8", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "quay/quay-rhel9", "product_name": "Red Hat Quay 3"}], "public_date": "2026-06-22T21:30:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-44889\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-44889\nhttps://github.com/Pylons/webob/security/advisories/GHSA-fh3h-vg37-cc95"], "statement": "This is rated as Moderate (CVSS 6.1) because exploitation requires user interaction \u2014 a victim must click a crafted link that triggers the redirect (UI:R). While the attack is network-accessible (AV:N) and requires no privileges (PR:N), the impact is limited to low confidentiality and integrity effects typical of an open redirect (phishing, session misdirection), with no availability impact. Critically, this vulnerability is only exploitable on Python 3.10 or later, where urllib.parse.urlsplit strips tab, carriage return, and newline characters before parsing. All Red Hat product streams that ship python-webob \u2014 including Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Ceph Storage, and Red Hat Quay \u2014 use Python 3.9 or earlier as the platform runtime, and are therefore not affected. Fedora and EPEL ship python-webob under Python 3.12+ and are affected. Users running WebOb on Python 3.10+ should upgrade to version 1.8.10, or validate that redirect targets include an explicit scheme with the expected host before assigning to Response.location.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.10)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "webob", "source": "cna", "vendor": "Pylons"}, "product": "webob", "vendor": "pylons"}], "created": "2026-06-23T00:00:16.884827+00:00", "updated": "2026-06-23T21:03:09.826031+00:00", "vendors": ["pylons", "pylons$PRODUCT$webob"]}