CVE-2026-13543
MediumCVSS 5.6Exploitation Probability (EPSS)
Low risk28th percentile — higher than 28% of all known CVEs
Summary
A vulnerability was found in Documenso up to version 2.11.0 in the Google OAuth Login component. An unknown function in handle-oauth-callback-url.ts leads to improper authentication. The attack can be launched remotely but is difficult to exploit due to high complexity.
Risk Assessment
The organization is at risk of unauthorized access to user accounts using Google OAuth login. A publicly available exploit increases the attack likelihood, potentially leading to data confidentiality breaches.
Recommendation
Immediately apply the available patch or temporarily disable Google OAuth login until an official fix is released. Monitor the Documenso repository for updates on the pending pull request.
Original NVD description (English source)
A vulnerability was detected in Documenso up to 2.11.0. Affected by this vulnerability is an unknown functionality of the file packages/auth/server/lib/utils/handle-oauth-callback-url.ts of the component Google OAuth Login. The manipulation results in improper authentication. It is possible to launch the attack remotely. This attack is characterized by high complexity. The exploitation appears to be difficult. The exploit is now public and may be used. The pull request to fix this issue awaits acceptance.

