IA Squad
SearchEN
python · Flask-SecurityHeads-up

Flask-Security Open Redirect via Backslash in URL Authority

Flask-Security's validate_redirect_url() function can be bypassed using a backslash in the URL authority, allowing open redirect when subdomain redirects are en

24 Jun 2026Read 1 minSeverity: schedule it

What changed

Flask-Security's validate_redirect_url() function can be bypassed using a backslash in the URL authority, allowing open redirect when subdomain redirects are enabled.

Who it affects

Applications using Flask-Security with SERVER_NAME and SECURITY_REDIRECT_ALLOW_SUBDOMAINS=True.

What to do today

Disable subdomain redirects or apply a fix that properly validates URLs with backslashes.

The trail
Collected Audited Written Published
Source
GitHub Advisory · Flask-Security

More on Flask-Security

python · OctoPrint

OctoPrint HTML/JS Injection in Suppressed Command Popups

python · motioneye

motionEye Missing Authentication in ActionHandler.post()