[GH-ISSUE #8551] Open Redirect on SignUp Page #3896

New issue

Closed

opened 2026-03-23 21:33:57 +00:00 by mirror · 7 comments

mirror commented 2026-03-23 21:33:57 +00:00

Owner

Copy link

Originally created by @Devilspo on GitHub (Mar 2, 2026).
Original GitHub issue: https://github.com/AppFlowy-IO/AppFlowy/issues/8551

Bug Description

The SignUp endpoint is vulnerable to an Open Redirect vulnerability.
An attacker can manipulate the redirectTo parameter to redirect users to an arbitrary external domain after signup.
This can be used for phishing attacks and social engineering by abusing the trusted domain.

How to Reproduce

1. Open the following URL in a browser: https://appflowy.com/login?redirectTo=https%3A%2F%2Fappflowy.com%2Fapp
2. Change the above URL into : https://appflowy.com/login?redirectTo=https%3A%2F%2Fevil.com and Enter
3. Complete the signup process (or trigger redirect if automatic).
4. Observe that the application redirects the user to: "http://evil.com/"

Expected Behavior

The application should validate the redirectTo (or redirect) parameter and ensure that users are only redirected to trusted internal pages after completing the signup process.

Operating System

Windows

AppFlowy Version(s)

https://appflowy.com

Screenshots

Additional Context

This vulnerability allows an attacker to redirect users from a trusted domain to a malicious external website.

Because the malicious link begins with the legitimate domain, users are more likely to trust and click it, significantly increasing the success rate of phishing attacks.

An attacker can use this issue to steal user credentials, distribute malware, or conduct large-scale social engineering campaigns.

The trusted domain reputation may help bypass email security filters and web protection mechanisms.

If combined with authentication flows or token-based mechanisms, this vulnerability could potentially lead to account takeover.

Overall, this issue increases the risk of phishing, brand abuse, and user compromise, posing a significant threat to both users and the organization’s reputation.

Originally created by @Devilspo on GitHub (Mar 2, 2026). Original GitHub issue: https://github.com/AppFlowy-IO/AppFlowy/issues/8551 ### Bug Description The SignUp endpoint is vulnerable to an Open Redirect vulnerability. An attacker can manipulate the redirectTo parameter to redirect users to an arbitrary external domain after signup. This can be used for phishing attacks and social engineering by abusing the trusted domain. ### How to Reproduce 1. Open the following URL in a browser: https://appflowy.com/login?redirectTo=https%3A%2F%2Fappflowy.com%2Fapp 2. Change the above URL into : https://appflowy.com/login?redirectTo=https%3A%2F%2Fevil.com and Enter 3. Complete the signup process (or trigger redirect if automatic). 4. Observe that the application redirects the user to: "http://evil.com/" ### Expected Behavior The application should validate the redirectTo (or redirect) parameter and ensure that users are only redirected to trusted internal pages after completing the signup process. ### Operating System Windows ### AppFlowy Version(s) https://appflowy.com ### Screenshots <img width="1632" height="810" alt="Image" src="https://github.com/user-attachments/assets/0a56b451-bcba-4c4f-9326-66fe9849efcb" /> <img width="1627" height="808" alt="Image" src="https://github.com/user-attachments/assets/dbe56120-f017-40ff-ac18-e26a33b9a1f3" /> <img width="1636" height="821" alt="Image" src="https://github.com/user-attachments/assets/2fa6ca6a-5f60-4127-90e9-c6c8ae375a37" /> <img width="1628" height="788" alt="Image" src="https://github.com/user-attachments/assets/d85c8aac-ba80-4ab4-958c-d232bb78b5fc" /> <img width="1643" height="801" alt="Image" src="https://github.com/user-attachments/assets/82b16755-350b-4c10-baa6-24d20b38916b" /> <img width="1632" height="827" alt="Image" src="https://github.com/user-attachments/assets/50c8a303-ce24-4834-a4b0-7e6272ea51dd" /> <img width="1622" height="810" alt="Image" src="https://github.com/user-attachments/assets/26e267f5-dd9c-424c-b6f2-4fe01402e5d0" /> ### Additional Context This vulnerability allows an attacker to redirect users from a trusted domain to a malicious external website. Because the malicious link begins with the legitimate domain, users are more likely to trust and click it, significantly increasing the success rate of phishing attacks. An attacker can use this issue to steal user credentials, distribute malware, or conduct large-scale social engineering campaigns. The trusted domain reputation may help bypass email security filters and web protection mechanisms. If combined with authentication flows or token-based mechanisms, this vulnerability could potentially lead to account takeover. Overall, this issue increases the risk of phishing, brand abuse, and user compromise, posing a significant threat to both users and the organization’s reputation.

mirror closed this issue 2026-03-23 21:33:57 +00:00

mirror commented 2026-03-23 21:33:58 +00:00

Author

Owner

Copy link

@LucasXu0 commented on GitHub (Mar 3, 2026):

Thanks for reporting this. We’re working on a fix.

<!-- gh-comment-id:3988679401 --> @LucasXu0 commented on GitHub (Mar 3, 2026): Thanks for reporting this. We’re working on a fix.

mirror commented 2026-03-23 21:33:58 +00:00

Author

Owner

Copy link

@Devilspo commented on GitHub (Mar 4, 2026):

Any update

<!-- gh-comment-id:3996443949 --> @Devilspo commented on GitHub (Mar 4, 2026): Any update

mirror commented 2026-03-23 21:33:58 +00:00

Author

Owner

Copy link

@Arpit934823 commented on GitHub (Mar 6, 2026):

Hi, I'd like to work on this issue.

Could you clarify where the login/signup redirect logic is implemented?
Is it inside this repository or handled by the AppFlowy web service?

<!-- gh-comment-id:4012207457 --> @Arpit934823 commented on GitHub (Mar 6, 2026): Hi, I'd like to work on this issue. Could you clarify where the login/signup redirect logic is implemented? Is it inside this repository or handled by the AppFlowy web service?

mirror commented 2026-03-23 21:33:58 +00:00

Author

Owner

Copy link

@Devilspo commented on GitHub (Mar 10, 2026):

Hi, thank you for the clarification.

I investigated the issue further and found that the vulnerability occurs during the signup process, and it appears to be handled by the AppFlowy web service

<!-- gh-comment-id:4029171354 --> @Devilspo commented on GitHub (Mar 10, 2026): Hi, thank you for the clarification. I investigated the issue further and found that the vulnerability occurs during the signup process, and it appears to be handled by the AppFlowy web service

mirror commented 2026-03-23 21:33:58 +00:00

Author

Owner

Copy link

@Devilspo commented on GitHub (Mar 15, 2026):

Any update

<!-- gh-comment-id:4063312126 --> @Devilspo commented on GitHub (Mar 15, 2026): Any update

mirror commented 2026-03-23 21:33:59 +00:00

Author

Owner

Copy link

@Devilspo commented on GitHub (Mar 18, 2026):

Can I disclose this vulnerability?

<!-- gh-comment-id:4082684091 --> @Devilspo commented on GitHub (Mar 18, 2026): Can I disclose this vulnerability?

mirror commented 2026-03-23 21:33:59 +00:00

Author

Owner

Copy link

@annieappflowy commented on GitHub (Mar 19, 2026):

@Devilspo , we have fixed this issue and will release it soon. Thank you!

<!-- gh-comment-id:4087908320 --> @annieappflowy commented on GitHub (Mar 19, 2026): @Devilspo , we have fixed this issue and will release it soon. Thank you!

mirror referenced this issue 2026-03-23 22:20:59 +00:00

[PR #3896] [MERGED] Update sv.json #5935

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

copilot/fix-date-format-issue

feat/mention_a_person

merge_upstream_v6

mobile/release/0.9.3

release/0.9.3

release/0.9.2

select_source

release/0.9.1

refactor_import_data

release/0.8.9.1

release/0.8.9

anon_user_mode

release/0.8.8

fix_windows_selection

release/0.8.7

annieappflowy-patch-1

windows_local_ai

release/0.8.6

release/0.8.5

release/0.8.4

chore/optional-response-format

release/0.8.3

release/0.8.2

release/0.8.1

release/0.8.0

release/0.7.9

feat/support-rename-workspace

chat_rag_only

calculate_ui_test

release/0.7.8

release/0.7.7

stringfi_cells

hotfix/0.7.5

release/0.7.4

client-api-update

feat/collab-editing

fix_calculation_bug

feat/upload-file-in-document

update-client-api

feat/support-global-comment-on-web

update-client-api-2

feat/support-duplicate-publish-on-web

feat/ai-plan-billing

chore/test-web-deploy

chore/enable-billing-for-testing

build/test

ai_tag_feature

chore/enable-billing-plan

feat/billing-client-windows

chore/support-openai-chat

fix/try-no-media-kit

sign-in-error-format

workspace-invite-ci-test

last-workspace

workspace-invite-wip

feat/date-text-input

appflowy_v1

0.11.1

0.11.0

0.10.9

0.11.2

0.10.7

0.10.6

0.10.5

0.11.3

0.11.4

0.10.8

0.10.4

0.10.3

0.10.2

0.10.0

0.10.1

0.9.9

0.9.8

0.9.7

0.9.5

0.9.6

0.9.4

0.9.3

0.9.2

0.9.1

0.9.0

0.8.9

0.8.8

0.8.7

0.8.6

0.8.5

0.8.4

0.8.3

0.8.2

0.8.1

0.8.0

0.7.9

0.7.8

0.7.7

0.7.6

0.7.5

0.7.4

0.7.3

0.7.2

0.7.1

0.7.0

0.6.9

0.6.8

0.6.7.2

0.6.7.1

0.6.7

0.6.6

0.6.5

0.6.4

0.6.3

0.6.2

0.6.1

v0.6.1

0.6.0

0.5.9

0.5.8

0.5.7

0.5.6

0.5.5

0.5.4

0.5.3

0.5.2

0.5.1

0.5.0

0.4.9

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.9.1

0.3.9

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

0.2.9

0.2.8

0.2.7

0.2.6

0.2.5

0.2.4

0.2.3

0.2.2

0.2.1

0.2.0

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

0.0.9.1

0.0.9

0.0.8.1

0.0.8

0.0.7.1

0.0.7

0.0.6.2

0.0.6.1

0.0.6

0.0.6_beta.1

0.0.5.3

0.0.5.2

0.0.5.1

0.0.5

0.0.5_beta.2

0.0.5_beta.1

0.0.4

0.0.4_beta.3

0.0.4_beta.2

0.0.4_beta.1

0.0.3

0.0.3_beta.2

0.0.3_beta.1

0.0.2

0.0.1

Labels

Clear labels   

2024

  

2025

  

2026

  

acct mgmt

  

AI

  

automation

  

bug

  

calendar

  

ci

  

CJK

  

cloud

  

code-block

  

collaboration

  

copy-paste

  

database

  

data migration

  

data sync

  

deploy

  

desktop

  

develop

  

develop

  

documentation

  

duplicate

  

editor

  

editor-plugin

  

emoji

  

export

  

files

  

flutter-only

  

follow-up

  

formula

  

good first issue for devs

  

good first issue for experienced devs

  

grid

  

hacktoberfest

  

HACKTOBERFEST-ACCEPTED

  

help wanted

  

i18n

  

icons

  

images

  

importer

  

improvements

  

infra

  

install

  

integrations

  

IR

  

kanban board

  

login

  

look and joy

  

mentorship

  

mobile

  

mobile

  

needs design

  

new feature

  

new feature

  

non-coding

  

notes

  

notifications

  

onboarding

  

organization

  

P0+

  

permission

  

platform-linux

  

platform-mac

  

platform-windows

  

plugins

  

program

  

pull-request

Mirrored from GitHub Pull Request

  

Q1 25

  

Q1 26

  

Q2 24

  

Q2 25

  

Q3 24

  

Q3 25

  

Q4 24

  

Q4 25

  

react

  

regression

  

rust

  

rust

  

Rust-only

  

Rust-only

  

Rust-starter

  

Rust-starter

  

self-hosted

  

shortcuts

  

side panel

  

slash-menu

  

sync v2

  

table

  

tablet

  

task

  

tauri

  

templates

  

tests

  

themes

  

translation

  

v0.5.6

  

v0.5.8

  

v0.5.9

  

v0.6.0

  

v0.6.1

  

v0.6.4

  

v0.6.7

  

v0.6.8

  

v0.7.1

  

v0.7.4

  

v0.7.4

  

v0.7.5

  

v0.7.6

  

v0.7.7

  

v0.7.8

  

v0.8.0

  

v0.8.4

  

v0.8.5

  

v0.8.9

  

web

No labels

2024

2025

2026

acct mgmt

AI

automation

bug

calendar

ci

CJK

cloud

code-block

collaboration

copy-paste

database

data migration

data sync

deploy

desktop

develop

develop

documentation

duplicate

editor

editor-plugin

emoji

export

files

flutter-only

follow-up

formula

good first issue for devs

good first issue for experienced devs

grid

hacktoberfest

HACKTOBERFEST-ACCEPTED

help wanted

i18n

icons

images

importer

improvements

infra

install

integrations

IR

kanban board

login

look and joy

mentorship

mobile

mobile

needs design

new feature

new feature

non-coding

notes

notifications

onboarding

organization

P0+

permission

platform-linux

platform-mac

platform-windows

plugins

program

pull-request

Q1 25

Q1 26

Q2 24

Q2 25

Q3 24

Q3 25

Q4 24

Q4 25

react

regression

rust

rust

Rust-only

Rust-only

Rust-starter

Rust-starter

self-hosted

shortcuts

side panel

slash-menu

sync v2

table

tablet

task

tauri

templates

tests

themes

translation

v0.5.6

v0.5.8

v0.5.9

v0.6.0

v0.6.1

v0.6.4

v0.6.7

v0.6.8

v0.7.1

v0.7.4

v0.7.4

v0.7.5

v0.7.6

v0.7.7

v0.7.8

v0.8.0

v0.8.4

v0.8.5

v0.8.9

web

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

AppFlowy-IO/AppFlowy#3896

No description provided.