CVE-2026-21853
Published: 02 March 2026
Description
AFFiNE is an open-source, all-in-one workspace and an operating system. Prior to version 0.25.4, there is a one-click remote code execution vulnerability. This vulnerability can be exploited by embedding a specially crafted affine: URL on a website. An attacker can…
more
trigger the vulnerability in two common scenarios: 1/ A victim visits a malicious website controlled by the attacker and the website redirect to the URL automatically, or 2/ A victim clicks on a crafted link embedded on a legitimate website (e.g., in user-generated content). In both cases, the browser invokes AFFiNE custom URL handler, which launches the AFFiNE app and processes the crafted URL. This results in arbitrary code execution on the victim’s machine, without further interaction. This issue has been patched in version 0.25.4.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents code injection by requiring validation and sanitization of specially crafted affine: URL inputs processed by AFFiNE's custom handler.
Mitigates the vulnerability through timely flaw remediation by patching AFFiNE to version 0.25.4 or later where the unsafe URL processing was fixed.
Provides defense-in-depth by deploying malicious code protection mechanisms to block or detect arbitrary code execution resulting from the exploited URL handler.
Security SummaryAI
CVE-2026-21853 is a remote code execution vulnerability affecting AFFiNE, an open-source all-in-one workspace and operating system, in versions prior to 0.25.4. The flaw stems from improper handling of specially crafted "affine:" URLs by AFFiNE's custom URL handler, classified under CWE-94 (Code Injection). It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for network-based exploitation with low complexity and no privileges required.
Attackers can exploit this vulnerability without authentication by embedding a malicious "affine:" URL on a website. In one scenario, a victim visits an attacker-controlled site that automatically redirects to the URL; in another, the victim clicks a crafted link in user-generated content on a legitimate site. Either action triggers the victim's browser to invoke AFFiNE's handler, launching the app and processing the URL, resulting in arbitrary code execution on the victim's machine with no further interaction needed.
The vulnerability has been patched in AFFiNE version 0.25.4. The official security advisory (GHSA-67vm-2mcj-8965) and related pull request (#13864) on the project's GitHub repository detail the fix, implemented via commit c9a4129a3e9376b688c18e1dcd6c87a775caac80, which addresses the unsafe URL processing logic. Security practitioners should urge users to update to 0.25.4 or later and advise caution with "affine:" links from untrusted sources.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a remote code execution in AFFiNE's custom URL handler, directly enabling exploitation of client software for arbitrary code execution (T1203).