CVE-2026-9566 teableio CVE debrief

Who should care

Organizations running Teable instances prior to release.2026-04-21T08-57-20Z.1513, particularly those with externally accessible authentication endpoints. Security teams monitoring for open-source application vulnerabilities and XSS attack vectors in authentication flows.

Technical summary

The vulnerability resides in `apps/nextjs-app/src/features/auth/pages/LoginPage.tsx` in the sign-up component's handling of the `redirect` parameter. Prior to the fix, the redirect parameter was not properly validated before navigation, enabling XSS attacks through malicious redirect values. The remediation implements `isValidRedirectPath()` validation that explicitly blocks `javascript:`, `data:`, and cross-origin redirect attempts.

Defensive priority

low

Recommended defensive actions

• Upgrade Teable to version release.2026-04-21T08-57-20Z.1513 or later to obtain the fix for the login redirect validation
• Review and validate any custom redirect handling implementations in authentication flows
• Implement Content Security Policy (CSP) headers as defense-in-depth against XSS vectors
• Monitor for and block suspicious redirect parameters containing javascript:, data:, or unexpected external URLs in web application firewalls

Evidence notes

CVE published 2026-05-26. Vendor confirmation of fix via GitHub pull request and release tag. CVSS 4.0 vector indicates network attack vector with user interaction required, low integrity impact. CWE-79 (XSS) and CWE-94 (Code Injection) identified.

Official resources