CVE-2026-12804

Name	CVE-2026-12804
Description	A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
lemonldap-ng (PTS)	bullseye	2.0.11+ds-4+deb11u5	vulnerable
	bullseye (security)	2.0.11+ds-4+deb11u8	vulnerable
	bookworm	2.16.1+ds-deb12u8	vulnerable
	bookworm (security)	2.16.1+ds-deb12u6	vulnerable
	trixie	2.21.2+ds-1+deb13u2	vulnerable
	forky, sid	2.23.0+ds-4	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
lemonldap-ng	source	(unstable)	(unfixed)

Notes

[trixie] - lemonldap-ng <no-dsa> (Minor issue)
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/work_items/3619
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/merge_requests/979