PatchSiren cyber security CVE debrief
CVE-2026-42207 OpenMage CVE debrief
CVE-2026-42207 is a medium-severity open redirect in Magento Long Term Support (LTS) before 20.18.0. The issue affects the product alert add flow: when the supplied product_id does not match an existing catalog product, Mage_ProductAlert_AddController::stockAction() uses the uenc query parameter as a redirect target without validating that the destination is internal. The result is an unvalidated HTTP 302 redirect to an attacker-supplied URL. The issue is fixed in version 20.18.0.
- Vendor
- OpenMage
- Product
- Magento LTS
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Administrators and operators of Magento LTS / OpenMage Magento LTS deployments, especially stores exposing product alert or related frontend flows. Security teams should care because open redirects can support phishing, link-trust abuse, and chained attacks against users who trust the site’s domain.
Technical summary
According to the advisory and NVD record, Mage_ProductAlert_AddController::stockAction() reads the uenc query parameter and passes it directly to _redirectUrl($backUrl) without calling _isUrlInternal(). If the requested product_id does not match a catalog product, the application responds with an HTTP 302 redirect to the supplied URL. The weakness is classified as CWE-601 (open redirect) and is rated CVSS 3.1 6.1/Medium with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N.
Defensive priority
Medium priority. This is not a direct code-execution issue, but it can undermine user trust and be used in phishing or redirect-chaining scenarios. Remediation should be scheduled promptly if the affected product flow is exposed to users.
Recommended defensive actions
- Upgrade Magento LTS / OpenMage Magento LTS to 20.18.0 or later.
- Verify whether your storefront uses the affected product alert add controller flow and review any customizations around redirect handling.
- Ensure redirect targets are validated as internal before use; reject or sanitize externally supplied return URLs such as uenc where appropriate.
- Monitor logs for unusual redirect activity involving product alert endpoints and suspicious external destinations.
- If immediate upgrade is not possible, reduce exposure of the affected frontend path and apply compensating controls in application code or routing layers until patched.
Evidence notes
The CVE description states that prior to 20.18.0, Mage_ProductAlert_AddController::stockAction() uses the uenc parameter directly in _redirectUrl($backUrl) without _isUrlInternal(), and that this leads to an unvalidated HTTP 302 redirect when product_id does not match a catalog product. The NVD record maps the weakness to CWE-601 and lists the CVSS vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The CVE record and NVD source item both show the CVE published on 2026-05-15 and modified on 2026-05-18.
Official resources
-
CVE-2026-42207 CVE record
CVE.org
-
CVE-2026-42207 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
Public advisory material and the CVE record identify the issue as fixed in 20.18.0. The supplied NVD record marks the CVE as Deferred at the time of the source item.