The Offensive Security Team of BDO Cyber Security GmbH discovered a security vulnerability in the support endpoint (/api/support) of the GlobaLeaks whistleblower platform and promptly reported it to the responsible development team. The issue involved insufficient validation of URLs in incoming support requests, which were forwarded in support emails to administrators. This insight outlines our discovery, risk assessment and mitigation steps.
GlobaLeaks is a widely used open-source platform for anonymous whistleblowing and secure submission channels. Its design emphasizes privacy, anonymity and transparency, making it attractive for organizations handling sensitive reports.
During a penetration test of a GlobaLeaks-based application the Offensive Security Team at BDO Cyber Security GmbH identified a vulnerability in the support endpoint (/api/support), tracked as CVE-2026-33284. In GlobaLeaks versions up to 5.0.88, URLs submitted in support requests were forwarded verbatim in email notifications to administrators without sufficient server-side validation.
Many email clients automatically convert URL-like text into clickable links. An attacker able to submit a support request could therefore cause administrators to receive emails containing links to attacker-controlled sites. By leveraging such messages, attackers can attempt phishing or social-engineering campaigns aimed at stealing credentials, or otherwise deceiving administrators.
The vulnerability does not allow remote code execution, service disruption or direct data disclosure from the GlobaLeaks instance, instead exploitation requires an administrator to interact with a malicious link. Technically this is a low-risk issue, but operationally it represents a meaningful phishing vector targeting human operators.
We reported the issue to the GlobaLeaks project on 13 March 2026. The vendor released a fix in GlobaLeaks 5.0.89 on 19 March 2026. The patch implements a function which defangs submitted URLs thereby closing the attack vector. Operators should update to GlobaLeaks 5.0.89 or later as the primary remediation step.
CVE-2026-33284 illustrates how minor input-handling omissions in administrative notification flows can produce practical phishing vectors against the human elements of security. Technical patches are essential but combining them with operational controls and awareness measures is necessary to mitigate the real-world risk.
You can find additional CVEs and security advisories disclosed by our team on our advisory overview page. Furthermore, we are available to assist you in identifying or remediating vulnerabilities in systems, applications or IoT devices. Our Offensive Security services include penetration testing and red-team exercises in order to stay one step ahead of attackers. In addition, we offer a range of consulting services to complete our portfolio.
For details and to arrange a tailored engagement, please contact us here.


