CVE-2026-44372 MEDIUM

CVE-2026-44372: Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules

Vendor Nitrojs
Product nitro
Weakness CWE-601 · Open redirect
Published May 13, 2026
Last update May 14, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Nitro is a next generation server toolkit. Prior to 3.0.260429-beta, an attacker could turn a redirect route rule using wildcards rewrite into a cross-host redirect by sliding an extra slash in after the rule prefix. This vulnerability is fixed in 3.0.260429-beta.

Key dates

02Disclosure timeline

May 13, 2026 CVE published
May 14, 2026 Record updated