{"id":"CVE-2026-50134","summary":"Hugo: security.http.urls allow-list bypass via HTTP redirects","details":"Hugo is a static site generator. From 0.91.0 until 0.162.0, resources.GetRemote enforces security.http.urls on the URL it is called with, but it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place. This vulnerability is fixed in 0.162.0.","aliases":["GHSA-vxgm-5rmg-5w8g","GO-2026-5681"],"modified":"2026-07-09T04:00:33.632720881Z","published":"2026-07-06T19:42:49.280Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50134.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-918"]},"references":[{"type":"WEB","url":"https://github.com/gohugoio/hugo/releases/tag/v0.162.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/50xxx/CVE-2026-50134.json"},{"type":"ADVISORY","url":"https://github.com/gohugoio/hugo/security/advisories/GHSA-vxgm-5rmg-5w8g"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-50134"},{"type":"FIX","url":"https://github.com/gohugoio/hugo/commit/86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gohugoio/hugo","events":[{"introduced":"d1dc0e9a54b2eef5a52d0bb808c44cfa2a0e303e"},{"fixed":"076dfe13d0f789e3d9586b192f8f7f3329c26990"},{"fixed":"86fbb0f7a8bbb93e2e916390de9e5a4f24bf9f50"}],"database_specific":{"source":["CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0.91.0"},{"fixed":"0.162.0"}],"cpe":"cpe:2.3:a:gohugo:hugo:*:*:*:*:*:*:*:*"}}],"versions":["v0.161.1","v0.161.0","v0.160.1","v0.160.0","v0.159.2","v0.159.1","v0.159.0","v0.158.0","v0.157.0","v0.156.0","v0.155.3","v0.155.2","v0.155.1","v0.155.0","v0.154.5","v0.154.4","v0.154.3","v0.154.2","v0.154.1","v0.154.0","v0.153.5","v0.153.4","v0.153.3","v0.153.2","v0.153.1","v0.153.0","v0.152.2","v0.152.1","v0.152.0","v0.151.1","v0.151.0","v0.150.1","v0.150.0","v0.149.1","v0.149.0","v0.148.2","v0.148.1","v0.148.0","v0.147.9","v0.147.8","v0.147.7","v0.147.6","v0.147.5","v0.147.3","v0.147.2","v0.147.1","v0.147.0","v0.146.7","v0.146.6","v0.146.5","v0.146.4","v0.146.3","v0.146.2","v0.146.1","v0.146.0","v0.145.0","v0.144.1","v0.144.0","v0.143.1","v0.143.0","v0.142.0","v0.141.0","v0.140.2","v0.140.1","v0.140.0","v0.139.4","v0.139.3","v0.139.2","v0.139.1","v0.139.0","v0.138.0","v0.137.1","v0.137.0","v0.136.5","v0.136.3","v0.136.2","v0.136.1","v0.136.0","v0.135.0","v0.134.3","v0.134.2","v0.134.1","v0.134.0","v0.133.1","v0.133.0","v0.132.2","v0.132.1","v0.132.0","v0.131.0","v0.130.0","v0.129.0","v0.128.2","v0.128.1","v0.128.0","v0.127.0","v0.126.3","v0.126.1","v0.126.0","v0.125.7","v0.125.6","v0.125.5","v0.125.4","v0.125.2","v0.125.1","v0.125.0","v0.124.1","v0.124.0","v0.123.8","v0.123.7","v0.123.6","v0.123.5","v0.123.4","v0.123.3","v0.123.2","v0.123.1","v0.122.0","v0.121.2","v0.121.1","v0.121.0","v0.120.4","v0.120.3","v0.120.2","v0.120.1","v0.120.0","v0.119.0","v0.118.2","v0.118.1","v0.118.0","v0.116.1","v0.116.0","v0.115.4","v0.115.3","v0.115.2","v0.115.1","v0.115.0","v0.114.0","v0.113.0","v0.112.7","v0.112.6","v0.112.4","v0.112.3","v0.112.2","v0.112.1","v0.112.0","v0.111.3","v0.111.2","v0.111.1","v0.110.0","v0.109.0","v0.108.0","v0.107.0","v0.106.0","v0.105.0","v0.104.3","v0.104.2","v0.104.1","v0.104.0","v0.103.1","v0.102.3","v0.102.0","v0.101.0","v0.100.2","v0.100.1","v0.100.0","v0.99.1","v0.99.0","v0.98.0","v0.97.3","v0.97.2","v0.97.1","v0.97.0","v0.95.0","v0.94.2","v0.94.1","v0.94.0","v0.93.3","v0.93.2","v0.93.1","v0.93.0","v0.92.2","v0.92.1","v0.92.0","v0.91.2","v0.91.1","v0.91.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-50134.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N"}]}