CVE-2026-10839 - Vulnerability Details - OpenCVE

Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Password Manager	Password Manager

No data.

No data.

References

Link	Providers
https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager

History

Wed, 17 Jun 2026 12:45:00 +0000

Type	Values Removed	Values Added
Description		Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.
Title		Open redirection vulnerability in Password Manager
First Time appeared		Password Manager Password Manager password Manager
Weaknesses		CWE-601
CPEs		cpe:2.3:a:password_manager:password_manager:::::::: cpe:2.3:a:password_manager:password_manager:08_07_2025:::::::*
Vendors & Products		Password Manager Password Manager password Manager
References		https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: INCIBE

Published: 2026-06-17T11:11:56.686Z

Updated: 2026-06-17T14:57:50.529Z

Reserved: 2026-06-04T11:17:20.822Z

Link: CVE-2026-10839

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-10839", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2026-06-04T11:17:20.822Z", "datePublished": "2026-06-17T11:11:56.686Z", "dateUpdated": "2026-06-17T14:57:50.529Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2026-06-17T11:11:56.686Z"}, "title": "Open redirection vulnerability in Password Manager", "datePublic": "2026-06-17T10:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-601", "description": "CWE-601 URL redirection to untrusted site ('open redirect')", "type": "CWE"}]}], "affected": [{"vendor": "Password Manager", "product": "Password Manager", "versions": [{"status": "affected", "version": "0", "lessThan": "08/07/2025", "versionType": "date"}, {"status": "unaffected", "version": "08/07/2025", "versionType": "date"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:password_manager:password_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "0", "versionEndExcluding": "08_07_2025"}, {"vulnerable": false, "criteria": "cpe:2.3:a:password_manager:password_manager:08_07_2025:*:*:*:*:*:*:*"}]}]}], "descriptions": [{"lang": "en", "value": "Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Open redirection vulnerability in the authentication system allows an attacker to use manipulated values in the X-Forwarded-Host header to alter the URLs generated by the application. A successful exploit could redirect authenticated users to malicious sites following login procedures or interaction with the interface, resulting in limited impact on confidentiality and integrity."}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-password-manager", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N"}}], "solutions": [{"lang": "en", "value": "The vulnearbility has been fixed by the Password Manager team on 08/07/2025. It is recommend to update to the latest available version.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The vulnearbility has been fixed by the Password Manager team on 08/07/2025. It is recommend to update to the latest available version."}]}], "source": {"defect": ["Julen Garrido Est\u00e9vez"], "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.2"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-17T14:57:30.908194Z", "id": "CVE-2026-10839", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-17T14:57:50.529Z"}}]}}