CVE-2026-40295
Devise: Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler
Description
Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4.
INFO
Published Date :
May 22, 2026, 8:16 p.m.
Last Modified :
May 29, 2026, 6:55 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | MITRE-CVE | ||||
| CVSS 3.1 | MEDIUM | [email protected] |
Solution
- Update Devise to version 5.0.4 or later.
- Verify session timeout redirect behavior.
- Review redirect configurations.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-40295.
| URL | Resource |
|---|---|
| https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360 | Patch |
| https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv | Mitigation Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-40295 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-40295
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-40295 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2026-40295 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
May. 29, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:heartcombo:devise:*:*:*:*:*:ruby:*:* versions up to (excluding) 5.0.4 Added Reference Type GitHub, Inc.: https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360 Types: Patch Added Reference Type GitHub, Inc.: https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv Types: Mitigation, Vendor Advisory -
New CVE Received by [email protected]
May. 22, 2026
Action Type Old Value New Value Added Description Devise is an authentication solution for Rails based on Warden. In versions 5.0.3 and below, when the Timeoutable module is enabled in Devise, the FailureApp#redirect_url method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an auto-submitting cross-origin form can cause a victim with an expired Devise session to be redirected to an arbitrary external URL. This contrasts with the GET timeout path (which uses server-side attempted_path) and Devise's own store_location_for mechanism (which strips external hosts via extract_path_from_location), both of which are protected; only the non-GET timeout redirect path is unprotected. Expired-session users can be silently redirected from the trusted app domain to attacker-controlled URLs, enabling phishing and malware delivery while bypassing browser warnings. Note: Rails' built-in open-redirect protection does not mitigate this issue. Devise::FailureApp is an ActionController::Metal app with its own isolated copy of the relevant redirect configuration, so config.action_controller.action_on_open_redirect = :raise (and the older raise_on_open_redirects setting) do not reach it. This issue has been fixed in version 5.0.4. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Added CWE CWE-601 Added Reference https://github.com/heartcombo/devise/commit/025fe2124f9928766fc46520e999633b598d0360 Added Reference https://github.com/heartcombo/devise/security/advisories/GHSA-jp94-3292-c3xv