lemonldap-ng <=2.23.0 open redirect via SAML CDC URL arg
CVE-2026-12804 Published on June 21, 2026
lemonldap-ng SAML Common Domain Cookie Endpoint CDC.pm redirect
A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Timeline
Advisory disclosed
VulDB entry created
VulDB entry last update
Weakness Type
What is an Open Redirect Vulnerability?
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks. An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
CVE-2026-12804 has been classified to as an Open Redirect vulnerability or weakness.
Products Associated with CVE-2026-12804
Want to know whenever a new CVE is published for Lemonldap Ng? stack.watch will email you.
