Summary

The RTask postback parameter was vulnerable to open redirect. A crafted URL could redirect an authenticated user to an external site after completing an action, aiding phishing by making the link appear to originate from a trusted Digi On-Prem Manager instance.

Exploitation requires a logged-in user to click the crafted link.

The fix shipped in v26.04.1 (April 2026); this advisory is being published now as part of a consolidated disclosure.

Solution

Users should update to v26.04.1 or later.

Affected Versions

• Digi On-Prem Manager versions before v26.04.1