CVE-2026-33506: Ory Polis XSS — Patch Guide

Overview

A high-severity security vulnerability, tracked as CVE-2026-33506, has been identified in Ory Polis (formerly known as BoxyHQ Jackson). This software acts as a bridge, converting SAML login flows to OAuth 2.0 or OpenID Connect. The flaw is a DOM-based Cross-Site Scripting (XSS) vulnerability that could allow an attacker to execute malicious code in a victim’s web browser.

Vulnerability Details

In versions prior to 26.2.0, Ory Polis’s login functionality improperly trusts user-supplied input from a URL parameter named callbackUrl. This parameter is passed directly to the client-side navigation function router.push without adequate sanitization or validation. An attacker can craft a specially designed link containing malicious JavaScript within this parameter.

When an authenticated user-or an unauthenticated user who later logs in-clicks this malicious link, the application performs a client-side redirect. This action triggers the execution of the attacker’s embedded JavaScript code within the victim’s browser session, under the security context of the Ory Polis application domain.

Potential Impact

The ability to execute arbitrary JavaScript in a user’s browser session can have severe consequences:

• Credential Theft: An attacker could steal session cookies or authentication tokens, leading to full account compromise.
• Unauthorized Actions: The malicious script could perform actions on behalf of the victim, such as changing account settings, initiating transactions, or accessing sensitive data.
• Pivoting: In corporate environments, this could be used as an initial foothold to probe and attack internal network resources accessible from the user’s browser.
• Data Breach: Successful exploitation could lead to the exposure of sensitive user or organizational data. For insights into real-world data breaches, you can review breach reports.

The vulnerability is rated HIGH with a CVSS score of 8.8.

Remediation and Mitigation

The primary and most effective action is to apply the official patch.

Immediate Action:

1. Upgrade: All users of Ory Polis must upgrade to version 26.2.0 or later immediately. This release contains the necessary fix to properly validate and sanitize the callbackUrl parameter.
2. Verify: After upgrading, verify that the login flows function correctly and that any custom integrations remain operational.

Additional Security Posture:

• User Awareness: Remind users to exercise caution with unsolicited links, even those that appear to originate from trusted internal systems.
• Stay Informed: Keeping abreast of such vulnerabilities is crucial for maintaining security. Regular updates can be found in our security news section.

There are no effective workarounds for this client-side vulnerability; patching is the only complete solution. Failure to update leaves systems exposed to potential attack.