Skip to content

Hugo: security.http.urls allow-list bypass via HTTP redirects

Moderate severity GitHub Reviewed Published May 28, 2026 in gohugoio/hugo • Updated Jun 16, 2026

Package

gomod github.com/gohugoio/hugo (Go)

Affected versions

>= 0.91.0, < 0.162.0

Patched versions

0.162.0

Description

Commit: 86fbb0f7a8security: Validate redirects against security.http.urls
Affected versions: v0.91.0 (when security.http.urls was introduced) through v0.161.1.
Fixed in: v0.162.0.
Severity: Only relevant for sites that rely on security.http.urls as a trust boundary — e.g. CI builds that fetch remote resources but want to constrain which hosts can be reached. Not an issue if you fully trust every URL passed to resources.GetRemote.

Description. resources.GetRemote enforces security.http.urls on the URL it is called with, but until v0.162.0 it did not re-validate intermediate URLs on HTTP 3xx redirects. An allowed server (or an attacker controlling its DNS or response) could therefore redirect the request to a host that the policy was meant to forbid — for example, http://localhost/ or an internal IP — and Hugo would fetch from the redirected target. The same bypass also lifted any host-shape restriction the operator had put in place.

Mitigation. v0.162.0 installs a CheckRedirect on the HTTP client used by resources.GetRemote that re-runs security.http.urls on every redirect target and caps the redirect chain at 10 hops. No configuration change is required.

References

@bep bep published to gohugoio/hugo May 28, 2026
Published to the GitHub Advisory Database Jun 16, 2026
Reviewed Jun 16, 2026
Last updated Jun 16, 2026

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(16th percentile)

Weaknesses

Server-Side Request Forgery (SSRF)

The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. Learn more on MITRE.

CVE ID

CVE-2026-50134

GHSA ID

GHSA-vxgm-5rmg-5w8g

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.